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Abstract. We address a fundamental mismatch between the combinations of dynamics 
that occur in cyber-physical systems and the limited kinds of dynamics supported in 
analysis. Modern applications combine communication, computation, and control. They 
may even form dynamic distributed networks, where neither structure nor dimension stay 
the same while the system follows hybrid dynamics, i.e., mixed discrete and continuous 
dynamics. 

We provide the logical foundations for closing this analytic gap. We develop a formal 
model for distributed hybrid systems. It combines quantified differential equations with 
quantified assignments and dynamic dimensionality-changes. We introduce a dynamic 
logic for verifying distributed hybrid systems and present a proof calculus for this logic. 
This is the first formal verification approach for distributed hybrid systems. We prove 
that our calculus is a sound and complete axiomatization of the behavior of distributed 
hybrid systems relative to quantified differential equations. In our calculus we have proven 
collision freedom in distributed car control even when an unbounded number of new cars 
may appear dynamically on the road. 



1. Introduction 

Many safety-critical computers are embedded in cyber-physical systems like cars [HESV91, 
SRS+06] and aircraft |DMC05j . How do we know that their designs will work as intended? 
Most initial designs do not. And some deployed systems still do not. Ensuring the correct 
functioning of cyber-physical systems is a central challenge in computer science, mathemat- 
ics, and engineering, because it is the key to designing smart and reliable control. Scientists 
and engineers need analytic tools to understand and predict the behavior of their systems. 
As systems become ever more complex, it becomes prohibitively expensive or impossible to 
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test all possible interactions and rule out unsafe behavior by simulation. Formal verification 
techniques are used routinely to overcome this for finite systems. But for cyber-physical 
systems, there is not even a foundation for verification that would cover all required behav- 
ior. 

There is a fundamental mismatch between the actual dynamics of cyber-physical sys- 
tem applications and the limits imposed by current modeling and analysis. Cyber-physical 
systems in automotive, aviation, railway, and power grids combine communication, compu- 
tation, and control Combining computation and control leads to hybrid systems [ACH H92 , 
Bra95, Hen96, BBM981 IPlalObj . whose behavior involves both discrete and continuous dy- 
namics originating, e.g., from discrete control decisions and differential equations of motion. 
Combining communication and computation leads to distributed systems |Lyn96 IAL011 
AdB OlO] . whose dynamics are discrete transitions of system parts that communicate with 
each other. They may form dynamic distributed systems, where the structure of the system 
is not fixed but evolves over time and agents may appear or disappear during the system 
evolution. 

Combinations of all three as- 
pects (communication, computa- 
tion, and control) are used in so- 
phisticated applications, e.g., co- 
operative distributed car control 
[HESV91J and decentralized air- 
craft control |PSFB07| . Neither the 

structure nor dimension of the sys- 
tem stay the same, because new Figure 1: Distributed car control, 
cars can appear on the street or 

leave it; see Fig.[TJ These systems are (dynamic) distributed hybrid systems, i.e., systems 
that combine the dynamics of distributed systems with the discrete and continuous dynam- 
ics of hybrid systems. More generally, distributed hybrid systems are multi- agent hybrid 
systems that interact through remote communication or physical interaction. They can- 
not be considered just as a distributed system (because, e.g., the continuous evolution of 
positions and velocities matters crucially for collision freedom in car control) nor just as a 
hybrid system (because the evolving system structure and appearance of new agents can 
make an otherwise collision- free system unsafe). It is generally impossible to split the anal- 
ysis of distributed hybrid systems soundly into an analysis of a distributed system (without 
continuous movement) and an analysis of a hybrid system (without structural changes or 
appearance), because all kinds of dynamics interact. Just like hybrid systems are diffcult 
to analyze from a purely discrete or a purely continuous perspective [Hen961 |Plal2j . 

Distributed hybrid systems have been considered to varying degrees in modeling lan- 
guages [DGV96[|Rou044 lKSPL06, MS06]. In order to build these systems, however, scientists 
and engineers also need analytic tools to understand and predict their behavior. But formal 
verification and proof techniques do not yet support the required combination of dynamical 
effects — which is not surprising given the numerous sources of undecidability for distributed 
hybrid systems verification. 

In this article, we provide the logical foundations to close this fundamental analytic 
gap. We develop quantified hybrid programs (QHPs) as a formal model for distributed hy- 
brid systems, which combine dynamical effects from multiple sources: discrete transitions, 
continuous evolution, dimension changes, and structural dynamics. In order to account 
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for changes in the dimension and for co-evolution of an unbounded and evolving number 
of participants, we generalize the notion of states from assignments for primitive system 
variables like x to full first-order structures. In a QHP, function term x(i) may denote the 
position of car i of type C, the term f(i) could be the car registered by communication as 
the car following car i, and the term d(i,f(i)) could denote the minimum safety distance 
negotiated between car i and its follower f(i). The values of all these terms may evolve 
for all i as time progresses according to interacting laws of discrete and continuous dynam- 
ics, because all cars evolve simultaneously. They are also affected by changing the system 
dimension as new cars appear, disappear, or by reconfiguring the system structure dynam- 
ically, e.g., by remote communication or physical interaction. The defining characteristic 
of QHPs is that they allow quantified hybrid dynamics in which variables like i that occur 
in function arguments of the system dynamics are quantified over, such that the system 
co-evolves, e.g., for all cars i of type C. This quantification is necessary to characterize 
the distributed hybrid systems dynamics with an unbounded and possibly evolving number 
of participants. Quantification is also necessary to represent structural dynamics when the 
number of participants is not fixed. 

There is a crucial difference between a primitive system variable x and a first-order 
function term x(i), where i is quantified over. Hybrid dynamics of primitive system variables 
can model a concrete number of, say, four cars (putting scalability issues aside), but neither 
a parametric number of n cars nor systems with a variable number of cars (a number n 
that may change over time). With first-order function symbols x[i) and hybrid dynamics 
quantifying over all cars i, a single QHP can represent any number of cars at once. QHPs can 
even represent (dis)appearance of cars by changing the domain that quantifiers range over 
dynamically at runtime. QHPs are thus a formal model for general (dynamic) distributed 
hybrid systems. 

Verification of distributed hybrid systems is challenging. We show that they have 
three independent sources of undecidability: discrete dynamics, continuous dynamics, and 
structural/dimensional dynamics. As an analysis tool for distributed hybrid systems, we 
introduce a specification and verification logic for QHPs that we call quantified differential 
dynamic logic (Qd£). QdC provides dynamic logic |Pra76l IHKTOO] modal operators [a] 
and (a) that refer to the states reachable by QHP a and can be placed in front of any 
formula. Formula [a](j> expresses that all states reachable by system a satisfy formula 4>, 
while {a)4> expresses that there is at least one reachable state satisfying <p. These modalities 
can express necessary or possible properties of the transition behavior of QHP a. With 
its ability to specify and verify properties of (dynamic) distributed hybrid systems and 
quantified dynamics, QdC is a major extension of prior work for static hybrid systems 
[Pla08al IPlalOa] and conventional discrete programs [BP06, Riim06]. 

Our primary contributions are: 

• We introduce a formal system model and semantics that succinctly captures the logical 
quintessence of (dynamic) distributed hybrid systems with joint discrete, continuous, 
structural, and dimension-changing dynamics. 

• We introduce a specification and verification logic for (dynamic) distributed hybrid sys- 
tems. 

• We present a proof calculus for this logic, which, to the best of our knowledge, is the 
first verification approach that can handle distributed hybrid systems with their hybrid 
dynamics and unbounded (and evolving) dimensions and structure. 
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• We prove that this compositional calculus is a sound and complete axiomatization of 
(dynamic) distributed hybrid systems relative to quantified differential equations. 

• We have used our proof calculus to verify collision freedom in a distributed car control 
system, where an unbounded number of new cars may appear dynamically on the road. 

In particular, we extend our previous extended abstract [PlalOcj by 28 pages worth of 

• soundness and relative completeness proofs 

• new results on ineffective fragments 

• more detailed explanations and more examples 

• new derived proof rules 

• new formal proofs illustrating the interaction of quantifiers, first-order function symbols, 
and quantified system dynamics in detail 

• a proof of collision avoidance in a simple distributed car control system, and a new result 
about a more advanced distributed car control system. 

This work constitutes the logical foundation for analysis of distributed hybrid systems. 
Since distributed hybrid control is the key to control numerous advanced systems, analytic 
approaches have significant potential for applications. With a theorem prover based on our 
approach, we have verified collision avoidance in a distributed car control system, which 
is out of scope for other approaches. The approach presented here has been used subse- 
quently for verifying distributed adaptive cruise control systems for highways [LPN11 and 
distributed air traffic control [Plallj . 

Our verification approach for distributed hybrid systems is a fundamental extension 
compared to previous approaches. In much the same way as first-order logic increases the 
expressive power over propositional logic (quantifiers and function symbols are required to 
express properties of unbounded structures), QdC increases the expressive power over its 
predecessors (because first-order functions and quantifiers in the dynamics of QHPs are 
required to characterize systems with unbounded and changing dimensions). 

2. Related Work 

Multi-party distributed control has been suggested for car control [HESV91] and air traffic 
control [DMC05J. Due to limits in verification technology, no formal analysis of the dis- 
tributed hybrid dynamics has been possible for these systems yet. Analysis results include 
discrete message handling [HESV91J or collision avoidance for two participants [DMC05]. 
In distributed car control and air traffic control systems, appearance of new participants is 
a major unsolved challenge for formal verification. 

Ad- hoc informal arguments have been used to discuss distribution effects away, e.g., 
assuming that at most 4 cars are close to one another. These arguments are treacherous, 
though. They are very case-specific and do not lend themselves to formal verification 
within one proof system because they need arguments outside the proof system to work. In 
distributed car control, for instance, it might, at first sight, be convincing to suspect that it 
would be enough to consider every possible constellation of, say, four cars. This breaks down 
at second thought, though, because, without a formal proof, there is no reason to believe 
that a locally consistent and safe system would be globally safe and consistent. Consider 
an example for the situation in Fig.[U for instance. Even if hybrid systems verification 
techniques could show that local patterns consisting of the four cars {1, 2, n, 3} are safe and 
that local patterns consisting of the four cars {2, n, 3, 4} are safe, the full system consisting of 
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all cars {1, 2, n, 3, 4} still does not have to be safe. For example, the local pattern {1, 2, n, 3} 
could be safe, because it will ask car n to change lanes and ask car 2 to keep speed and car 
3 to speed up. But the pattern {2, n, 3, 4} could be safe, because it will ask car n to change 
lanes but, instead, ask car 2 to slow down and car 3 to keep speed. Those two locally safe 
patterns still lead to a globally incompatible maneuver choice resulting in a crash, because 
both cars 2 and 3 would be forced to keep the speed (for they would otherwise collide with 
car 1 or 4, respectively) and, henceforth, collide with car n during its lane change. More 
generally, independent actions in different parts of a system may still end up interacting 
by rippling effects. It is, thus, crucial to understand and verify the emergent behavior 
resulting from local control principles. The full distributed hybrid systems dynamics needs 
to be considered and we cannot generally hope to prove meaningful properties by simply 
ignoring part of the dynamics. 

The importance of understanding dynamic / reconfigurable distributed hybrid systems 
was recognized in modeling languages SHIFT |DGV9 6] and R-Charon [KS PL06| before. 
They focused on simulation and compilation [DGV96J or the development of a semantics 
[KSPL06J, so that no verification is possible yet. For stochastic simulation, see [MS06 , 
where soundness has not been proven, because ensuring coverage is difficult by a random 
simulation. See [ZPC10J for a discussion of statistical evidence that can be obtained for 
randomized discrete-time hybrid systems by fair (i.i.d. sampled) simulation. This tech- 
nique neither covers distributed hybrid systems nor continuous-time hybrid systems nor 
nondeterministic dynamics, all of which we cover in this article. 

For distributed hybrid systems, even giving a formal semantics is very challenging 
[C.TR951 IRou04l IKSPL061 lvBMR+06] ! Zhou et al. [C.TR95] g ave a sem antics fo r a hybrid 
version of CSP in the Extended Duration Calculus [ZRH92]. Rounds [Rou04j gave a se- 
mantics in a rich set theory for a spatial logic for a hybrid version of the 7r-calculus. In the 
hybrid -/r-calculus, processes interact with a continuously changing environment, but cannot 
themselves evolve continuously, which would be crucial to capture the physical movement 
of traffic agents. From the semantics alone, no verification is possible in these approaches, 
except perhaps by manual reasoning in the semantics. 

Other process-algebraic approaches, like x jvBMR + 06j . have been developed for mod- 
eling and simulation purposes. Verification is still limited to small fragments that can be 
translated directly to other verification tools like PHAVer or UPPAAL, which have fixed 
dimensions and restricted dynamics (thus no distributed hybrid systems). 

Our approach is completely different. It is based on first-order structures and dynamic 
logic. We focus on developing a logic that supports distributed hybrid dynamics directly 
and that is amenable to automated theorem proving in the logic itself. 

For a detailed discussion of verification approaches for static real-time and hybrid sys- 
tems, we refer to previous work [Pla08a, PlalOal IPla08bl IPlalObj . Our previous work and 
other verification approaches for static hybrid systems cannot verify distributed hybrid 
systems. Distributed hybrid systems may have an unbounded and changing number of 
components/participants, which cannot be represented with any fixed finite number of di- 
mensions of the state space. In distributed car control, for instance, there is no prior limit 
on the number of cars on the street. Even when there is a limit, explicit replication of the 
system, say, 100 times, does not yield a scalable verification approach, because most hybrid 
systems verification approaches scale exponentially in the number of participants or worse. 

Approaches for distributed systems AL01] do not cover hybrid systems, because the 
addition of differential equations to distributed systems is even more challenging than the 
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addition of differential equations to discrete dynamics has been when forming hybrid sys- 
tems. There is not even a bound on the number of differential equations that would need 
to be added to faithfully hybridize a distributed system. 

In summary, previous approaches to distributed hybrid systems are limited to modeling, 
simulation, or the definition of a semantics. No formal verification technique was known for 
distributed hybrid systems before. 

3. Syntax 

As a formal logic for specifying and verifying correctness properties of distributed hybrid 
systems, we introduce quantified differential dynamic logic (QdC). QdC combines dynamic 
logic for reasoning about all ([a]^>) or some ({a)(f>) system runs of a system a |Pra761 IHK TOO 
with many-sorted first-order logic for reasoning about all (Vi : C 4>) or some (3i : C (j>) ob- 
jects of a sort C, e.g., the sort of all cars. The most important defining characteristic of QdC 
is that a can be a distributed hybrid system, because the QdC system model of quantified 
hybrid programs (QHP) supports quantified operations that affect all objects of a sort C 
at once. If C is the sort of cars, the quantified assignment Vz : C a(i) := a(i) + 1 increases 
the respective accelerations a(i) of all cars i at once by a single instantaneous discrete 
jump. It can be used to model simultaneous discrete changes in multiple agents at once. 
Discrete changes where only some of the cars change their acceleration, others do not, are 
easy to model with quantified assignments by masking. The quantified differential equation 
Mi : C v{i)' = a(i) represents a continuous evolution of the respective velocities v(i) of all 
cars i at the same time according to their acceleration by their respective differential equa- 
tions v(i)' = a(i). Again, continuous evolutions where only some of the cars evolve, others 
remain stopped, are easy to model with quantified differential equations by masking. These 
quantified assignments and quantified differential equation systems of QHPs are crucial for 
representing distributed hybrid systems where an unbounded number of objects co-evolve 
simultaneously, because no finite set of classical assignments and classical differential equa- 
tions could represent that. Note that, because of the close semantical relationship, we use 
the same quantifier notation Vi : C for quantified operations in programs and for quantifiers 
in logical formulas, instead of a separate notation Tii.c for parallel products in programs. 

Interaction by communication can be modeled by (possibly quantified) discrete assign- 
ments to share data between agents i and j in QHPs. Physical interaction, instead, may 
be modeled either by (possibly quantified) discrete assignments when an agent i activates a 
response in agent j by an instantaneous discrete action (e.g., pushing a physical button) or 
by a (possibly quantified) differential equation involving multiple agents i and j when they 
come into physical contact and act jointly over a (nonzero) period of time (e.g., both agents 
jointly lifting and pulling on a rigid object). Observe that the cyber structure of the sys- 
tem reconfigures dynamically when discrete communication topologies change, whereas the 
physical structure reconfigures dynamically when agents engage in physical contact. QHPs 
for the latter case may involve structural changes in the quantified differential equation. 

We model the appearance of new participants in the distributed hybrid system, e.g., 
new cars entering the road, by a QHP n := new C. It creates a new object of type C, thereby 
extending the range of all subsequent quantified assignments or quantified differential equa- 
tions ranging over created objects of type C. With quantifiers and function terms, new 
can be handled in an entirely modular way. In order to reduce the conceptual complexity, 
we first focus on the syntax and semantics of QdC and postpone the discussion of actual 
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existence and creation until SectionO We will see that actual existence and creation are 
completely modular extensions. 

The model of QHPs is of independent interest as a formal model for distributed hybrid 
systems. Inside a QHP, logical formulas can occur in state tests for conditional execution. 
We thus explain logical formulas, terms, and sorts first. Conversely, however, a QHP a 
occurs inside the modalities ([a] and (a)) of QdC formulas, which state properties of the 
behavior of a. Hence, QHPs may occur inside QdC formulas yet formulas may occur 
inside QHPs. The subsequent definitions of QdC and QHP are thus to be understood by 
simultaneous induction. It is easier to start with sorts, terms, and logical formulas first and 
then explain the QHP model subsequently. 

3.1. Quantified Differential Dynamic Logic. We introduce quantified differential dy- 
namic logic (QdC), which is the first formal logic for specifying and verifying correctness 
properties of distributed hybrid systems. QdC is a combination of many-sorted first-order 
logic with dynamic logic, generalized to a system model (QHPs) for distributed hybrid 
systems. 

Sorts. QdC supports a (finite) number of object sorts, e.g., the sort of all cars and that 
of all aircraft. For continuous quantities of distributed hybrid systems like positions or 
velocities, we add the sort R of real numbers. It would be easy to add subtyping of sorts; 
see previous work [BP06J for details. We refrain from doing so, because that just obscures 
the logical essence of our approach. 

The primary purpose of the sorts is to distinguish different kinds of objects in multi- 
agent hybrid systems in which different kinds of agents occur, e.g., cars of sort C, traffic 
lights of sort T, lanes of sort L, and aircraft of sort A. 

Terms. QdC terms are built from a set of (sorted) function and variable symbols as in 
many-sorted first-order logic. In particular, each function symbol / has a fixed type 
C\ X • • • X C n — >• D for some n £ N and some sorts D,C\, . . . ,C n such that / only ac- 
cepts argument terms 9±, . . . , 8 n of the respective sorts C%, . . . , C n and then f(9\, . . . , n ) is 
a term of sort D. We use these function symbols to represent the state of the system or 
other parameters. In a car control scenario like that in Fig.[H for instance, we could use 
function symbol x to represent the positions of cars, i.e., the term x(i) could represent the 
position of car % and x(j) the position of car j. Similarly, the term v(i) could represent the 
velocity of car i and a(i) its acceleration. These terms have sort R, whereas a term that 
represents the car in front of car i has sort C. 

Unlike in first-order logic, the interpretation of function symbols can change when 
transitioning from one state to the other while following the dynamics of a distributed 
hybrid system. The value of position x(i) will change over time as car i drives down the 
street. The value of x(i) would also change if the argument term i changes its value and 
now refers to a different car than before. Even objects may appear or disappear as the 
distributed hybrid system evolves. We use function symbol E(-) to distinguish between 
objects i that actually exist (E(i) = 1) and those that have not been created yet or exist no 
longer (E(i) = 0), depending on the value of E(i), which may also change its interpretation 
from state to state. We use 0,1,+,—,- with the usual notation and fixed semantics for 
nonlinear real arithmetic. Divisions can be added when guarding against divisions by zero 
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Pla08a| . For n > we abbreviate f(s±, . . . , s n ) by f(s) using vectorial notation and we use 
s = t for component- wise equality. 

Formulas. The formulas of QdC are defined as in first-order dynamic logic plus many-sorted 
first-order logic . 

Definition 3.1. (QdC formulas). The formulas of QdC are defined by the following gram- 
mar ((j), ip are formulas, 9±, 02 are terms of the same sort, i is a variable of sort C, and a is 
a QHP as defined in Section [3?2j) : 

0,^ :: = 0i = 9 2 | 0i > 9 2 | ->0 | <A A Tp | Vi : C | 3i : C | [o# | (a)0 

We use standard abbreviations to define <, >, <, V, — K Sorts C^M have no ordering 
and only 9% = 02 is allowed, not 0\ >02- For sort R, we abbreviate Vx : R </> by Vx and 
3x :M <p by 3x In the following, all formulas and terms have to be well-typed. For 
instance, x(i) = is no formula if x has type C — > R and / has type C — » C for a sort 
C 7^ R or if i has a sort D ^ C. QdC formula [a]<^> expresses that all states reachable by 
QHP a satisfy formula 4>. Likewise, (a)4> expresses that there is at least one state reachable 
by a for which <j) holds. 

For short notation, we allow conditional terms of the form if 0then else 6*2 fi (where 
0\ and 02 have the same sort). This term evaluates to 0\ if the formula <p is true and to 
02 otherwise. We generally consider formulas with conditional terms as abbreviations, e.g., 
V>(if^then 9i else 02 fi) abbreviates (0 — > i>(9\)) A — > ipiOz)). Conditional terms can be 
understood as an additional operator for terms and formulas as well. 

Example. A major challenge in distributed car control systems [HESV9I] is that they do 
not follow fixed, static setups. Instead, new situations can arise dynamically that change 
structure and dimension of the system whenever new cars appear on the road from on- 
ramps or leave it; see Fig.[TJ As a running example, we model a distributed car control 
system DCCS. First, we consider desirable QdC properties of the system DCCS for which 
we will later develop a series of increasingly more realistic models as QHPs. 

If i is a term of type C (for cars), let x(i) denote the position of car i, v(i) its current 
velocity, and a(i) its current acceleration; see Fig.[TJ A car control system is collision-free 
at a state if all cars are at different positions, i.e., Vi^j : C x(i)^x{j). Without a quantifier 
we could not describe that all cars on a highway are in a collision-free state, because there 
is a large number of cars on the highway and we may not know how many. The car control 
system is globally collision-free if it will always stay collision-free. The following QdC 
formula expresses that the system DCCS controls cars in a way that is always collision-free: 

(Vi, j : C M(i,j)) -> [DCCS] Vi^j : C x(i)^x(j) (3.1) 

It says that cars following the distributed hybrid systems dynamics of DCCS are always 
collision-free (postcondition), provided that DCCS starts in an initial state satisfying a 
formula j) for all cars i,j (precondition). In particular, the modality [DCCS] ex- 
presses that all states reachable by following the distributed hybrid system DCCS satisfy 
the postcondition \/i^j:C x(i)^x{j). The simple-most choice for the formula A4(i,j) in 
the precondition is a formula that characterizes a simple compatibility condition: for dif- 
ferent cars i ^ j, the car that is further down the road (i.e., with greater position) neither 
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moves slower nor accelerates slower than the other car, i.e.: 

M(i,j) = i + 3 ->■ ((z(i) < x(j) A u(t) < v(j) A o(i) < a(j)) 

V (x(i) > x(j) A v(i) > v(j) A o(i) > a(j))) (3.2) 

Even though this monotonicity condition is not the only safe choice for A4(i,j), some 
precondition like Vi,j : C M(i,j) is necessary, because car control is unsafe if the cars start 
with incompatible velocities or acceleration choices initially. In fact, we may suspect that 
a corresponding condition like this may have to hold all the time for the system to remain 
safe. The car controllers will thus have to make sure they maintain Vi, j : C M(i,j) always. 
And formal verification will have to make sure that formula (|3.ip is actually valid for the 
appropriate choices of DCCS. 

How do we design the distributed hybrid system DCCS that satisfies the QdC formula 
(|3.ip ? What is an appropriate model for distributed hybrid systems? How can we then 
prove that (I3.ip is true? Next, we introduce QHPs as a general model for distributed hybrid 
systems and then discuss possible choices of QHPs for DCCS. The reader should note that 
more sophisticated combinations of nested quantifiers and modalities are possible with QdC 
as well. 

3.2. Quantified Hybrid Programs. As a formal model for distributed hybrid systems, 
we introduce quantified hybrid programs (QHPs). These are regular programs from dynamic 
logic [HKTOO] to which we add quantified assignments and quantified differential equation 
systems for distributed hybrid dynamics. From these quantified assignments and quantified 
differential equations, QHPs are built like a Kleene algebra with tests |Koz97j . 

Definition 3.2. (Quantified HYBRID programs). QHPs are defined by the following 
grammar (a, j3 are QHPs, i a variable of sort C, f is a function symbol, s is a vector of 
terms with sorts compatible to the arguments of /, 9 is a term with sort compatible to the 
result of /, and x is a formula of many-sorted first-order logic): 

q,/3 ::= Vi:C f{s):=8 | Vi : C f{s)' = 9 & X I ?X ! a u Z 3 I a ^ I "* 

In order to simplify technical difficulties, we impose regularity assumptions on f(s) in 
quantified assignments and quantified differential equations. We assume s to be either a 
vector of length or that the mapping from the quantified variable i to s is injective. That 
is, each value of s can be exhibited by at most one choice of i. A system is injective, e.g., 
when at least one component of s is the quantified variable i. These assumptions can be 
relaxed, but are sufficient for our purposes; see SectionH] for a discussion of injectivity. For 
quantified differential equations, we further assume that / is an R- valued function symbol 
so that derivatives can be defined. 

Quantified State Change. The effect of quantified assignment Vi : C f(s) :=6 is an in- 
stantaneous discrete jump assigning 9 to f(s) simultaneously for all objects i of sort C. 
Hence all f(s) that are affected by Vi : C f(s) := 9 will change their value to the respec- 
tive 9 simultaneously for all choices of i in a single discrete instant of time. Usually, i 
occurs in term 9, but does not have to. The effect of quantified differential equation 
\/i:C f(s)' = 9&x is a continuous evolution where, for all objects % of sort C, all dif- 
ferential equations f(s}' = 9 hold at the same time and formula x holds throughout the 
evolution (the state always remains in the region described by x, i.e., the evolution stops at 
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any arbitrary time before it leaves x)- Again, i usually occurs in term 9. For the trivial evo- 
lution domain restriction x = true, which is always satisfied, we also write Vi : C f(s)' = 9 
instead of Vi : C f(s)' = 9 &: true. 

The dynamics of QHPs changes the interpretation of terms over time: f(s)' is intended 
to denote the derivative of the interpretation of the term f(s) over time during continuous 
evolution, not the derivative of f(s) by its argument s. For f(s}' to be defined, we assume 
/ is an M-valued function symbol. Although our approach can be extended, we assume 
that / does not occur in s. The most common choice of s in quantified assignments and 
quantified differential equations is just i. Other choices are possible for s, e.g., s = (i, /(i)) 
in Vi : C d(i,f(i)) := \a(i) + |a(/(i)). The latter QHP could be used to model that, for 
each car i, the average acceleration of a car i and its follower f(i) is assigned to a data field 
d(i,f(i)) that car i and its follower use to determine their safe distance. 

Time itself is not special but implicit. If a clock variable t is needed in a QHP, it 
can be axiomatized by t' = 1, which is equivalent to Vi : C t' = 1 where i does not occur in 
t. For such vacuous quantification (i does not occur anywhere), we may omit Vi : C from 
assignments and differential equations, which are then classical assignments and ordinary 
differential equations. Similarly, we may omit vectors s of length 0. 

Regular Programs. The test action ?% is used to define conditions. Its effect is that of 
a no-op if the formula x is true m the current state; otherwise, like abort, it allows no 
transitions. That is, if the test succeeds because formula x holds in the current state, then 
the state does not change, and the system execution continues normally. If the test fails 
because formula x does not hold in the current state, then the system execution cannot 
continue, is cut off and not considered any further. 

The nondeterministic choice a U j3, sequential composition a; j3, and nondeterministic 
repetition a* of programs are as in regular expressions but generalized to a semantics in 
distributed hybrid systems. Nondeterministic choice a U f3 is used to express behavioral 
alternatives between the transitions of a and /3. That is, the QHP a U {3 can choose non- 
deterministically to follow the transitions of QHP a, or, instead, to follow the transitions 
of QHP p. The sequential composition a; (3 says that the QHP j3 starts executing after 
QHP a has finished (/3 never starts if a does not terminate). In a;/3, the transitions of a 
take effect first, until a terminates (if it does), and then f3 continues. Observe that, like 
repetitions, continuous evolutions within a can take more or less time, which causes un- 
countable nondeterminism. This nondeterminism is inherent in distributed hybrid systems, 
because they can operate in so many different ways, which is as such reflected in QHPs. 
Nondeterministic repetition a* is used to express that the QHP a repeats any number of 
times, including zero times. When following a*, the transitions of QHP a can be repeated 
over and over again, any nondeterministic number of times (>0). 

QHPs (with their semantics and our proof rules) can be extended to systems of quan- 
tified differential equations, systems of simultaneous assignments to multiple functions /, g, 
and statements with multiple quantifiers ( Vi : C Vj : D . . .). This includes the quantified 
differential equation system Vi : C (x(i)' = v{i), v(i)' = a{i)), which we can understand as a 
second-order quantified differential equation Vi : C (x(i)" = a(i)) or as a vectorial first-order 
quantified differential equation Vi : C z(i)' = 9 with z(i) = (x(i),v(i)) and 9 = (v(i),a(i)); 
see [Pla08a| for details on how to handle vectorial differential equations. It is similarly 
simple to extend our approach to quantified assignments with multiple function symbols 
like Vi : C (a(i) := a(i) + 1, t[i) := 0), which is a vectorial extension that can be handled 
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like parallel updates in programs [BP06]. Our approach can also be extended to multiple 
quantifiers like in the quantified differential equation \/i:C\/j:D f(i,j)' = a{i) — d(i,j) or 
the quantified assignment Vi:C\/j:D d(i, j) := d(i, j) + a(i) + 1. These quantifier blocks 
correspond to \/i:C with a vectorial variable i and a vectorial sort C. Since these simple 
vectorial extensions [Pla08al 1BP06] are a diversion from the logical essence of our approach, 
we simplify notation and do not consider these cases formally. 

Example. Continuous movement of position x{i) of car i with acceleration a(i) is expressed 
by differential equation x(i)" = a(i), which corresponds to the first-order differential equa- 
tion system x(i)' = v(i),v(i)' = a{i) where v(i) is the velocity of car i. Simultaneous move- 
ment of all cars with their respective accelerations a{i) is expressed by the quantified dif- 
ferential equation Vi : C (x(i)" = a(i)) where quantifier Vz : C ranges over all cars, such that 
all cars co-evolve along their respective differential equations at the same time. 

In addition to continuous dynamics, cars have discrete control. In the following QHP, 
discrete and continuous dynamics interact (repeatedly because of the * repetition operator): 

(Vi:C (a(i) := if Vj :C far(i,j) then a else -Mi); Vt : C = a(i)))* (3.3) 

First, all cars i control their acceleration a(i). Each car i chooses maximum acceleration 
a > for a{i) if its distance to all other cars j is far enough (some condition far(i,j)). 
Otherwise, i chooses full braking —b < 0. After all accelerations have been set, all cars move 
continuously along \/i:C (x(i)" = a{i)). Accelerations may change repeatedly, because the 
repetition operator * can repeat the QHP when the continuous evolution stops at any time. 

Note that the presence of the function argument i in x(i),v(i),a(i) is a decisive difference 
when comparing the QHP in (13. 3ft to hybrid systems and when comparing the QdC formula 
in (|3,ip to hybrid systems properties. In hybrid systems, we are limited to using variables 
x, «, a of a single car. If we want to add a second car to a hybrid system model, new state 
variables y, w, c, new dynamics y' = w,w' = c, and new control need to be added for the 
second car. We can keep on adding any fixed finite number of state variables that way, 
but we need to know exactly how many cars there are on the street. This does not work 
when we want to model and verify situations with arbitrarily many cars or in distributed 
car control scenarios like Fig.[TJ where new cars appear or disappear during the evolution 
of the system. A quantified differential equation like Vi : C (x(i)' = v(i),v(i)' = a(i)), for 
example, cannot be expressed in hybrid systems, because we do not know how many cars i 
ranges over. If % did range over exactly 3 cars, called 1, 2, and 3, we could replace it by 

x(l)' = v(l),v(l)' = a(l),x(2)' = v{2),v(2)' = a(2),x(3)' = v(3),v(3)' = a(3) 

and change notation to obtain primitive state variables x\, x>\, a±, X2, i>2, «2> %3, V3, 03 in an 
ordinary differential equation system 

x[ = vi,v[ = ai,x' 2 = v 2 ,v' 2 = a 2 ,x' 3 = v 3 , v' 3 = a 3 

But this replacement does not work unless we know exactly how many cars are in the 
system. Even for systems with a fixed known but large number of participants, such flat 
representations as (non-distributed) hybrid systems are inefficient, because the system di- 
mension is exponential in the number of participants and all reasoning needs to be repeated 
for each participant, or even for each pair of participants (collision freedom requires each 
pair of cars to remain safely separated). This is why we benefit from studying distributed 
hybrid systems. 
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One remaining issue with QHP (13, 3D is that cars could still move backwards by braking 
long enough. But this does not capture braking. In order to say that cars can accelerate or 
brake but may never move backwards, we refine QHP (|3.3p to the following QHP in which 
the evolution domain of the quantified differential equation is restricted (by &) to stay in 
the region v(i) > where each car i has a nonnegative velocity: 

(Vi:C a(i) := (ifVj: C far(i,j)then aelseif v(i) > Othen —6 else Ofi fi); 

\Ji-.C (x(i)' = v(i),v(i)' = a(i) kv{i) > 0))* 

Observe that this controller is also smarter about the acceleration choices of cars than that 
in (13.3|) . It will choose for a(i) if car i does not move (v(i) = 0) but car i cannot accelerate 
safely either, because not all cars j are far enough away. 

System Structure. The communication model that QdC supports is that of shared variable 
communication. Suppose a car i has direct control over the acceleration of car j. Then, 
when i decides to brake, it could directly change the acceleration of car j as well using 
the QHP a{j) :=a{j) — 2. In most system designs, control variables of other agents are 
not directly accessible but communication has to be used instead. In QdC, communication 
can be implemented by assigning to shared variables (delays in communication are easy 
to model by combining assignments with differential equations). Suppose s(i) is the data 
field that car i queries periodically to track how much distance it is supposed to maintain 
relative to its leader car. Then the QHP Vi : C s(f(i)) := s(f(i)) + 10 would cause each car 
i to tell its respective follower car f(i) to increase the safety distance s(i) by 10, e.g., when 
the road conditions are slippery. 

Shared (first-order) variables are sufficient to model discrete structural dynamics, e.g., 
of changing communication links. If, for example, the car f(i) following car i has left the 
street, car i may update its communication link to reflect this change in the structure of the 
system by running the QHP f(i) := f(f(i)) that updates the follower of i to the follower of 
f(i), i.e., the follower of the follower of i. Other discrete structural changes in the system and 
communication patterns as well as all data structures can be modeled easily, since a complete 
object-oriented programming language [BP06 can be defined in QdC. Shared (first-order) 
variables are sufficient to model continuous structural dynamics, since structural changes in 
the continuous dynamics can be modeled by quantified differential equations that change 
their connectivity, i.e., which parts of the quantified differential equation depend on which 
other parts. For example, in QHP Vz : C (x(i)" = a(i) + c(i, f(i))a(f(i))) the connectivity 
term c(i,f(i)) models whether or not the follower f{i) of car i has physical bumper-to- 
bumper contact with car i, such that the acceleration a(f(i)) of car f(i) also pushes car 
i forwards, not just car f(i). The change of c(i,f(i)) from zero to non-zero represents a 
structural change in the physical dynamics structurally, because it structurally changes the 
effect of the continuous dynamics. 

These examples illustrate how the discrete dynamics, continuous dynamics, and dis- 
crete and continuous structural dynamics of distributed hybrid systems with an arbitrary 
parametric number of participants can be modeled as a QHP. We defer the explanation of 
dimensional dynamics, i.e., dynamic appearance and disappearance of agents, to Section[5j 
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4. Semantics 

The QdC semantics is a constant domain Kripke semantics [FM99J with first- order structures 
as states that associate total functions of appropriate type with function symbols. In 
constant domain, all states share the same domain for quantifiers. In particular, we choose 
to represent object creation not by changing the domain of states, but by changing the 
interpretation of the createdness flag E(i) of the object denoted by i. With E(i), object 
creation is definable in a modular way (as we elaborate in Section[5|). 

States. A state a associates an (infinite) set <r(C) of objects with each sort C, and it 
associates a function a(f) of appropriate type with each function symbol /, including E(-). 
We assume E(-) to have (unbounded but) finite support, i.e., each state only has a finite 
number of positions i at which E(i) = 1. This makes sense in practice, because there is a 
varying and possibly large but still finite numbers of participants (e.g., cars). For simplicity, 
a also associates a value o~(i) of appropriate type with each variable i. The domain of R 
and the interpretation of 0, 1, + , — , • is that of real arithmetic. We assume constant domain 
for each sort C: all states a,r share the same domains o~(C) = r(C) for C. Sorts C ^ D 
are disjoint: cr(C) n cr(D) = 0. The set of all states is denoted by S. The state of agrees 
with a except for the interpretation of variable i, which is changed to e. 

Formulas. We use <j\9\ to denote the value of term 9 at state a, which is defined as in 
first-order logic. Especially, erf {9} denotes the value of 9 in state erf, i.e., in state a with 
i interpreted as e. Further, p(a) C S x S denotes the state transition relation of QHP a, 
which we define below. 

Definition 4.1. (Semantics of QdC). The interpretation a \= eft of QdC formula 4> with 
respect to state a is defined inductively as: 

(1) a \= (9 1 = #2) iff c[#il = °"[#2]; accordingly for > (greater or equal). 

(2) a \= (j) A ip iff er |= <fi and a (= ip; accordingly for -1 (not). 

(3) er |= Vi : C ef> iff erf \= for all objects e G a(C). 

(4) a \= 3i : C (j) iff erf (= (ft for some object e G er(C). 

(5) a \= \a\4> iff r (= <j) for all states r with (a, r) E p(a)- 

(6) a \= (a)4> iff t \= 4> for some rwith (a, r) € /f(a). 

We say that (ft is true at <r if er \= (p. QdC formula 4> is uaZid, written 1= <j>, iff cr |= (ft for all cr. 

Programs. QHPs have a compositional semantics. The semantics of a QHP is its reacha- 
bility relation. 

Definition 4.2. (Transition semantics of QHP). The transition relation, p(a) C5x5, 
of QHP a specifies which state t £ 5 is reachable from cr € S by running QHP a. It is 
defined inductively: 

(1) (cr, t) G p(Vi:C f(s) :=9) iff state r is identical to cr except that at each position o 
of /: if of [s] = 6 for some object e G <r(C), then t(/)(<t?[s]) = of [0]. If there are 
multiple objects e giving the same position of [sj = o, then all of the resulting states r 
are reachable. 

(2) (cr, r) G p(Vi : C f(s)' = 9&lx) iff there is a function <£>:[0,r] — > S for some r > with 
f(0) = a and y(r) = r satisfying the following conditions. At each time t G [0, r], state 

is identical to c, except that at each position o of /: if of [sj = o for some object 
e G er(C), then, at each time £ G [0, r]: 
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• All differential equations hold and corresponding derivatives exist (trivial for r = 0): 

• The evolution domain is respected: </>(0i (= X- 

If there are multiple objects e giving the same position of [sj = o, then all of the resulting 
states r are reachable. 

(3) p(? x ) = {(a,a):a^ X } 

(4) p(a \JP) = p(a) U p(P) 

(5) p(a; (3) = p(/3) o p(a) = {(cr, r) : (cr, z) G p(a) and (z, r) G /?(/?) for a state z} 

(6) (cr, r) G iff there is an n G N with n > and there are states a = <To, . . . , a n = r 
such that (o"j, (Tj+i) G /?(a) for all < i < n. 

The semantics is explicit change: nothing changes unless an assignment or differential 
equation specifies how. In cases [TH2J only / changes and only at positions of the form 
ofjsf for some interpretation e G o~(C) of i. If there are multiple such e that affect the 
same position o, any of those changes can take effect by a nondeterministic choice. QHP 
Mi : C x := a(i) may change x to any a(i). Hence, [Mi : C x := a(i)](j)(x) = \/i:C (j)(a(i)), 
because that modality considers all possibilities of changing x to any a(i). In contrast, 
(Vi : C x := a(i))4>{x) = 3i:C (p(a(i)), because that modality considers some possibility of 
changing x to any a(i). Similarly, x can evolve along Mi:C x' = a(i) with any of the slopes 
a(i). But evolutions cannot start with slope a(c) and then switch to a different slope a(d) 
later. Any choice for the quantified variable i is possible but i remains unchanged during 
each evolution. 

We call a quantified assignment Vi:C f(s):=9 or a quantified differential equation 
Vi : C f(s)' = 8!kx infective iff there is at most one e satisfying cases HH2J For injective 
quantified assignments and injective quantified differential equations, conditions CEH2] can be 
simplified as follows: 

(1') (<r, t) G p(Vi : C f(s) := 6) iff state r is identical to a except that for each e G o~{C): 

(2') (a, t) G p(yi : C f(s)' = & x) iff there is a function ip: [0, r] — > S for some r > with 
<p(0) = a and <p(r) = r such that for each e G o~(C) and each time ( G [0, r]: 

• All differential equations hold and corresponding derivatives exist (trivial for r = 0): 

• The evolution domain is respected: (f(C)t H X- 

We call quantified assignments and quantified differential equations schematic iff s is z (thus 
injective) and the only arguments to function symbols in 6 are i. Schematic quantified dif- 
ferential equations like Mi : C f(i)' = a(i) Szx are very common, because distributed hybrid 
systems often have a family of similar differential equations replicated for multiple partic- 
ipants i. Their synchronization often comes from discrete communication on top of their 
continuous dynamics. Physically coupled differential equations are possible as well. They 
correspond to continuous physical interactions, e.g., if a car bumps into another car from 
the side, it radically changes the structure of the differential equations that determine its 
movement. Either case can be represented in QHPs, even if the schematic case is more 
common. 
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Cases[TH2]can be denned accordingly for vectorial extensions. These vectorial extensions 
are simple, just notationally cumbersome. For quantified assignments to multiple function 
symbols like in Mi : C (f(s) := 9, g(t) := $) all changes to / and g according to case[T] are 
performed simultaneously when transitioning from state a to r [Pla08a, [PlalOaj IRiim06j . 
The only difference to the sequential composition (Vi : C f(s) := 9); (Mi : C g(t) := is that 
in the quantified assignment to multiple functions, the change is simultaneous, hence t and 
$ are evaluated in the original state a, not in the intermediate state that is reached after / 
has already been modified by Mi : C f(s) :=9. For quantified differential equation systems 
with multiple function symbols like in Mi : C (Df(s) = 9, g(t)' = {) Sz x) the changes to / and 
g according to case[2] are again simultaneous and all differential equations of the differential 
equation system need to hold at the same time. Multiple quantifiers like Mi : C Mj : D in 
the quantified differential equation and quantified assignment are vectorial, i.e., "for some 
object e € cr(C)" in cases HH2] is replaced by "for some object e G o~(C) and some object 
c € a{Dy\ which are for i and j, respectively. That is, we replace o\ with af c - and ip(t)^ 
with (f(t)1 C j as well as ^(Ql with (p(C)i°j i n cases HHU 

Note that existence/uniqueness theorems for solutions of differential equations [Wal98 
carry over to quantified differential equations. In particular, existence/uniqueness of solu- 
tions by Picard-Lindelof / Cauchy-Lipschitz theorem [Wal98, Theorem 10. VI] and by Peano 
theorem |Wal98, Theorem 10. IX] carry over to case[2]of the semantics p{a) if it only affects a 
finite subdomain of ct(C), because the quantifier then corresponds to a finite set of classical 
differential equations. (The number of differential equations may still change dynamically 
over time, though, so that the quantified differential equation system cannot be replaced 
with an unquantified differential equation system in the QHP). For infinite <r(C), the theo- 
rems carry over to schematic Vz : C f(i)' = 9 &: x, which give an (infinite) set of disconnected 
classical differential equations. In all these cases, Picard-Lindelof 's theorem implies that 
the solution is unique, when terms are continuously differentiable (on the open domain 
where divisors are non-zero). For an overview of results about general infinite-dimensional 
differential equations, see [Bog95 . 

5. Actual Existence and Object Creation 

Up to now, we have been neglecting the effects of object creation and just pretended that 
the domain of objects would never change. In this section, we consider object creation and 
distinguish objects that actually exist physically from those that have not been created yet 
(or are not physically present in the part of the world reflected in the model) . We will see 
that this distinction does not require any change of QdC. It is just a conceptual change of 
our understanding. 

Actual Existence. For the QdC semantics, we chose constant domain semantics, i.e., all 
states share the same domains. Thus quantifiers range over all possible objects (possibilist 
quantification in constant domain semantics) not just over active existing objects (actualist 
quantification in varying domain semantics) }FM99| . In order to distinguish between actual 
objects that exist in a state, because they have already been created and can now actively 
take part in its evolution, versus possible objects that still passively await creation, we use 
function symbol E(-). Function symbol E(-) is similar to existence predicates in first-order 
modal logic [FM99], except that its value can be assigned to in QHPs. 
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Object Creation. For a term i of type C ^ E, we use E(i) = 1 to represent that the object 
denoted by i has been created and actually exists. We use E(i) = to represent that i has 
not been created or does not exist any longer. Object creation amounts to changing the 
interpretation of E(i). For an object denoted by i that has not been created (E(i) = 0), object 
creation corresponds to the state change caused by assignment E(i) := 1. With quantified 
assignments and function symbols, object creation is definable by a QHP: 

n:=newC = (Vj :C n := j); ?(E(n) = 0); E(n) := 1 (5.1) 

This QHP assigns an arbitrary j of type C to n (Vj :Cn:= j) that did not exist before 
(subsequent test ?E(n) = 0) and adjusts existence (E(n):=l). Disappearance of object i 
corresponds to E(i) := 0. Our choice of constant domain semantics avoids semantic subtleties 
of varying domains about the meaning of free variables denoting non-existent objects as in 
free logics [FM99] . Denotation is standard in QdC. Terms may just denote objects that 
have not been activated yet. This is even useful to initialize new objects (e.g., x{n) :=8) 
before activation (E(n) := 1). 

Actualist Quantifiers. We define abbreviations for actualist quantifiers in formulas, quan- 
tified assignments, and quantified differential equations that range only over previously 
created objects, similar to relativization in modal logic [FM99] by masking: 

Vi:C! 4> = yi:C (E(i) = l->>$ 

3i:C\ 4> = 3i:C (E(i) = 1 A <f>) 

Vi : C\ f(s) :=6 = Vi:C f(s) := (if E(i) = 1 then 6 else f(s) fi) 

Vi : C\ f(s)' = 6 = Vi:C f(s)' = (if E(«) = 1 then else Ofi) = Vi : C f(s)' = E(i)6 

The first two cases define quantifiers for actually existing objects. The last two cases define 
quantified state change for actually existing objects using conditional terms that choose 
effect 9 if E(i) = 1 and choose no effect, retaining the old value f(s) or evolving with slope 0, 
if E(i) = 0. The conditional terms can be avoided as indicated in the last column of the last 
row (similarly for quantified assignments). In all cases, the notation C\ signifies that the 
quantifier domain is restricted to actually existing objects of type C . Hence, Vz : C ranges 
over all objects of sort C, existent or not, whereas Vi : CI ranges only over those objects of 
sort C that actually exist in the current state. 

We generally assume that QHPs involve only quantified assignments and differential 
equations that are restricted to created objects, because real systems only affect objects 
that are physically present, not those that will be created later. We still treat actualist 
quantification over C\ as a defined notion, in order to simplify the semantics and proof 
calculus by separating object creation from quantified state change rules in a modular way. 

If only finitely many objects have been created in the initial state (say 0), then it is 
easy to see that only finitely many new objects will be created with finitely many such QHP 
transitions, because each quantified state change for CI only ranges over a finite domain 
then. Recall that we assume E(-) to have (unbounded but) finite support, i.e., each state only 
has a finite number of positions i at which E(i) = 1. This makes sense in practice, because 
there is a varying and possibly large but still finite numbers of participants (e.g., cars). 
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Example. The car control examples in Section[3] were unaware of the distinction between 
actual existing and possible objects. Car control, of course, only affects created cars that 
are physically present, not the possible cars that have not been built yet or that are not 
present yet. To reflect this, the dynamics and properties, we only need to replace each 
occurrence of Mi : C with Mi : C! in the car control examples of Section[3l For instance the 
QdC formula (|3.ip will be restricted to actual cars by adding C! as follows: 

(Mi,j:C\ M(i,j)) -> [DCCS\ Vi#:C! x(i)^x(j) (5.2) 

In the precondition, we only demand that all cars that actually exist (Mi,j : C\ . . . ) start 
from compatible positions with compatible velocities and accelerations, because we do not 
care about non-existent cars. In the postcondition, we only guarantee that all existing cars 
are at different positions, because we cannot really say what happens with cars that do not 
yet exist and that are beyond our control. The controller and dynamics in the QHP DCCS 
can be restricted to actual cars in the same way, e.g., in the following variant of (13.30 : 

(Mi:C\ (a(i) :=ifVj :C! far(i,j) then a else -Mi); Mi:C\ (x(i)" = »(»)))* ( 5 - 3 ) 

Except conceptually, this restriction to created cars does not really affect the specifica- 
tion (nor its verification). This gets much more involved as soon as we create new objects 
at runtime or let them disappear again. When we create a new car that joins the system, 
or when a new car appears from an on-ramp (Fig.[TJ), then one more set of positions x(n), 
velocities v(n), and accelerations a(n) comes out of nowhere and starts evolving along with 
the distributed car control dynamics. That new car n has not even been considered in the 
dynamics before it has been created. A real system cannot control what is not part of the 
system yet and thus must deal with new agents dynamically whenever they arrive. 

A fairly challenging feature of distributed car control, thus, is that new cars may ap- 
pear dynamically from on-ramps (Fig.Q]) changing the set of active objects dynamically at 
runtime. To model this, we consider the following QHP: 

DCCS = {n := new C; ?Mi : C\ M(i, n);Mi : C\ (x(i)" = o(t)))* (5.4) 

Before following the continuous dynamics, this QHP creates a new car n at an arbitrary 
position x(n) satisfying compatibility condition A4(i,n) with respect to all other created 
cars i. Hence DCCS allows new cars to appear, but not drop right out of the sky in front 
of a fast car or run at the speed of light only 2 meters away. When cars appear into the 
horizon from on-ramps, this condition captures that a car is only allowed to join the lane 
("appear" into the model world) if it cannot cause a crash with other existing cars (Fig. [I]). 
Unboundedly many cars may appear during the operation of DCCS and change the system 
dimension arbitrarily, because of the repetition operator *. 

DCCS is simple but shows how properties of distributed hybrid systems can be ex- 
pressed in QdC. Joint dynamics of multiple components corresponds to compositions of 
quantified differential equation systems, quantified assignments, and object (dis)appearance. 
Structural dynamics corresponds to assignments to function terms. Say, f(i) is the car reg- 
istered by communication as the car following car i. Then a term d(i,f(i)), which denotes 
the minimum safety distance negotiated between car i and its follower, is a crucial part of 
the system dynamics. Restructuring the system in response to lane change corresponds to 
assigning a new value to f(i), which impacts the value of d(i, f(i)) in the system dynamics. 



18 



A. PLATZER 



V*>0 ((VO<t<t jy» : C /(a) := y g (t)] X ) -> [V* ■ g /(g := : 

3£>0 ((VO<f<t (Vj : C /(g) := A (Vi : C f(s) := y s {t))<P) x 

{{)) <Vi:C f(s)> = 9k X )<i> 

if qi !(7 .?= r^litth. 

([:=]) 



if 3? : C s = then Vi : C (s = [A]u -»• 0(0)) else 0(/([.A]u)) fi 2 



0([Vi:C/(s):=0]/(«)) 

if q»: -r? .?= /iWth 

((:=)) 



if3t:C s = (A)uthen3i:C (s = («4.)« A (f)(0)) else 4>(f((A)u)) fi 2 



r(|Vi:C7/(a):=0]tZ) a , r „ V/:C0(0) „_ „ Bj'.Cfte) 



<f>((Vi:C f(s):=e)f(u)) 

(E) 



|V*:C7/(5):=fl]r(fl)- u J ' [Vj : C n := 0]<f>(n) yv " (Vj : C n := 8)<j)(n) 
true 



3n:CE(n) = 

r^0(g),3x:C0(x),A 4 r^0(/(X 1 ,..,X ra )),A 5 
1 rj r^3x:C0(x),A - { T) T^VxiC (j)(x),A - 

r,0(fl),Vx:C0(xHA 4 r^(/(4..,-x»)HA 6 

1 J r,Vi:C^HA [ 1 F,3x:C <£(x)->A 

QE(VX, y (jf£= gthen SpQ-^pQ else $pQ->tt(r)fi)) 6 QE(3X /\ t (^^)) ? 
(1 J $(/(s)H*(/(i)) " (1 ... 

(U^en) - (Offen) (tnd) 



(con) 



r, [a]0->-[a]^, A wy 7 r, (a)(f)^(a)ip,A v 'r,0^[a*]0,A 
w > A (p(v) ->• {a)ip(v — 1) 8 



r, 3t; 93(i!)^(a*)3v<0 A - 



t are new logical variables and ys{t) the simultaneous solutions of the (injective) differential equations 
Vi : C f(s)' = 6 with f(s) as symbolic initial values. 

2 The occurrence of /(«) in (j>(f(u)) is not in scope of a modality (admissible substitution) and we abbreviate 
assignment Vi : C f(s) := 8 by A, which is assumed to be injective. 

^f^T and the quantified assignment Vi : C f(s) := 6 is injective. The same rule applies for (Vi : C f(s) := 9) 
instead of [Vi : C /(s) :=0]. 

4 # is an arbitrary term of sort C, often a new logical variable X. 
f is a new (Skolem) function of appropriate type and X\, . . , X n are all free logical variables of Vr <j>{x). 
®X, Y are new logical variables of sort R. QE needs to be applicable to the formula in the premise, 
'''among all branches, the free (existential) logical variable X of sort H only occurs in the branches 3^— ^SPj. 
QE needs to be defined for the formula in the premise, especially, no Skolem dependencies on X occur, 
^logical variable v does not occur in a. 



Figure 2: Rule schemata of the proof calculus for quantified differential dynamic logic. 
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Figure 3: Propositional rule schemata 



6. Proof Calculus 

In Fig. [21 we present a proof calculus for QdC formulas. The basic principle behind the proof 
rules is that they transform a QHP into structurally simpler logical formulas by symbolic 
decomposition. For our purposes, it is sufficient to understand the sequent notation infor- 
mally, just for a systematic proof structure. With finite sets of formulas for the antecedent T 
and succedent A, sequent V— » A is an abbreviation for the formula A^gr & — ^ V^gA ^- Our 
calculus uses standard proof rules for propositional logic with the cut rule; see Fig.[3j The 
proof rules are used backwards from the conclusion (goal below horizontal bar) to the 
premises (subgoals above bar). 

In the QdC calculus, we use substitutions that take effect within formulas and programs 
(defined as usual). Only admissible substitutions are applicable, however, which is crucial 
for soundness. An application of a substitution a is admissible if no replaced term 9 occurs 
in the scope of a quantifier or modality binding a symbol in 9 or in its replacement o~9. 
A modality binds a symbol / iff it contains an assignment to / (like Vi : C f(s):=9) or a 
differential equation containing an f(s)' (like \/i:C f(s)' = 9). The substitutions in Fig. [2] 
that insert a term 9 into (f>(9) also have to be admissible for the proof rules to be applicable. 
We explain the QdC proof rules in the sequel. 



Regular Rules. The first proof rules in Fig.[2]axiomatize sequential compositions ( ; |(;) ), 
nondeterministic choices ( U |(U) ) , and tests ( ? |(?) ) of regular programs as in dynamic logic 
[HKTOOj. Like most other rules in Fig. [21 these rules do not contain sequent symbol—)-, i.e., 
they can be applied to any subformula. These rules represent (directed) equivalences: con- 
clusion and premise are equivalent. The equivalences are directed in the sense that we only 
use them to replace occurrences of the conclusion with the premise (which is structurally 
simpler), not the other way around. 

Nondeterministic choices split into their alternatives ( U]|(U) )• For rule U] If all a 
transitions lead to states satisfying <f> (i.e., [a](j) holds) and all f3 transitions lead to states 
satisfying (i.e., \0\<j) holds), then, all transitions of QHP a U /?, which choose between 
following a and following j3, also lead to states satisfying <f> (i.e., [a U holds). Dually for 



rule (U) if there is an a transition to a <p state ((a) (ft) or a /3-transition to a 4> state ((/3)0), 
then, in either case, there is a transition of a U (3 to <j) ((« U holds), because a U /3 
can choose which of those transitions to follow. A general principle behind the QdC proof 

OTP 



rules is most noticeable in 



these proof rules symbolically decompose the reasoning 
into two separate parts and analyze the fragments a and (3 separately, which makes the 
problem tractable and is good for scalability. For these symbolic structural decompositions, 
it is very helpful that QdC is a full logic that is closed under all logical operators, including 
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disjunction and conjunction, for then the premises in U |(U) are QdC formulas again (unlike 
in Hoare logic [Hoa69]). 

Sequential compositions are proven using nested modalities ( ; |(;) ). 
all a-transitions, all /3-transitions lead to states satisfying (ft (i.e. 



For rule 
holds) 



If after 
then also 



all transitions of the sequential composition a; (3 lead to states satisfying (ft (i.e., 



holds). The dual rule (;} uses the fact that if there is an a-transition, after which there is a 
/3-transition leading to (ft (i.e., {a){f3)4>), then there is a transition of a; f3 leading to (ft (that 
is, (a;/3)</>), because the transitions of a;/3 are just those that first do any a-transition, 
followed by any /3-transition (Section[I|). Again, it is crucial that QdC is a full logic that 
considers reachability statements as modal operators, which can be nested, for then the 
premises in ; |(;) are QdC formulas again (unlike in Hoare logic [Hoa69] ) . 

Tests are proven by assuming (with an implication in rule [?] ) or showing (with a 
conjunction in rule 



?) ) that the test succeeds, because test ?x can only make a transition 



when condition x actually holds true (Section^]). Thus, for QdC formula (?x)<^> rule (? 



is used to prove that formula x holds true (otherwise there is no transition and thus the 
reachability property is false) and that formula (ft holds after the resulting no-op. Dually, 
rule [?] for QdC formula [?x]<A assumes that formula x holds true (otherwise there is no 
transition and thus nothing to show) and shows that (ft holds after the resulting no-op. 



Quantified Differential Equations. Rules [']\(') handle continuous evolutions for quanti 



fied differential equations with first-order definable solutions. Given a solution for the quan- 
tified differential equation system with symbolic initial values f(s), continuous evolution 
along differential equations can be replaced with a quantified assignment Vi : C f(s) := yg(t) 
corresponding to the simultaneous solution (of the differential equations \/i:C f(s)' = 8 
with f(s) as symbolic initial values) and an additional quantifier for the evolution time t. 
In rule ['] postcondition (ft needs to hold for all evolution durations t > 0. In rule ('} , it 
needs to hold after some duration t > 0. The constraint on x restricts the continuous evo- 
lution such that its solution f(s) :=yg(t) remains in the evolution domain region x a t all- 
intermediate times t <t. This constraint simplifies to true if x is true. 

For schematic cases like V« : C f(i)' = a(i), first-order definable solutions can be ob- 
tained by adding argument i to first-order definable solutions of the deparametrized version 
/' = a. For example, the following proof step uses rule [f|] to turn a quantified differential 
equation system into a quantified assignment with an extra quantifier for the duration t of 
the evolution. 



Vi^j x(i)^x(j) -^-Vt>0\\/ix(i) 



b+2 



t 2 + v(i)t + x(i)] Vj^k x(j)^x(k) 



fij^j x(i)^x(j) — >-[Vi x(i) 
The quantified assignment \/ix{i) := 



-b]yj^kx(j)^x(k) 



b.2 
2 l 



v(i)t + x(i) solving the above quantified differ- 
ential equation system can be obtained easily from the solution x := — |t 2 + v t + x of the 
deparametrized differential equation system x' = v , v' = —b, just by adding the parameter 
i back in and checking whether this gives a solution. 

We only present proof rules for first-order definable solutions of quantified differential 
equations here. We refer to previous work [PlalOal for induction techniques that handle 
differential equations without solving them and that work for nondeterministic differential 
equations with disturbances. We have shown recently that these differential induction 
techniques extend to quantified differential equations using quantified differential invariants 
[Plallj . 
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Quantified Assignments. Rules := |(:=)f : handle quantified assignments. Rule O char 



acterizes the fact that quantified assignments to / have no effect on all other operators T ^ / 
(including other function symbols, A, if then else fi), so that T will not be affected by the 
quantified assignment and can be skipped over. The argument u may still be affected by the 
quantified assignment, hence [ : ] prefixes u (component-wise) by Vi : C f(s) := 9. Hence, the 
rule maps a quantified assignment over all arguments homomorphically. For example, 
if T is an operator taking two arguments and is not the function symbol /, then rule 
derives the proof step 

T([Vi : C f(s) := 9] U1 , [Vi : C f(s) := 6)u 2 ) 



[Vi:C f(s):=9]T( Ul ,u 2 ) 



Rules 



:=) characterize how a quantified assignment to / affects the value of a term 
f(u) (these rules are equivalent for the injective case, i.e., a match for at most one i). Their 
effect depends on whether the quantified assignment Vi : C f(s):=9 matches f(u), i.e., there 
is a choice for i such that f(u) is affected by the assignment, because u is of the form s 
for some i. Whether it matches or not cannot always be decided statically, because it may 
depend on the particular interpretations. Hence, the premises of rules 



make a case 
i else 4>2 fi 



distinction on matching by yielding an if-then-else formula. The formula if-then 
is short notation for (<p — > <p\) A (-></> — >■ <f) 2 )- If the quantified assignment does not match 
(else part), the occurrence of / in (f)(f(u)) will be left unchanged, because / is not changed 
at position u. If it matches (then part), the premise uses the term 9 assigned to f(s) instead 
of f(u), either for all possible i : C that match f(u) in case of := , or for some of those i : C 



in case of (:=} 



The universal and existential quantifiers pick the same unique i, because the 

In all cases, the original quantified 



quantified assignment needs to be injective for 
assignment Vi : C f(s) := 9, which we abbreviate by A, will be applied to u in the premise, 
because the value of argument u may also be affected by A, recursively. 
A special case of 



matches trivially: 



If / does not occur in u, then [ : 



applies to the schematic case where s is of the form i, which 

_Vi : C (i = [Vi : C f(i) := 9}u -»• (f)(9)) 
0([Vi:C f(i):=9]f(u)) 
simplifies this proof step further: 

Vi : C (i = « (f)(6)) 



[HE 



V([Vi:C/(f) :=9}f(u)) 



Recall that 9f is the term 9 with i replaced by u. Standard first-order reasoning simplifies 
the above to a derived rule that we again denote by := (where / does not occur in u) 



') 



V([Vi:C f(i):=9]f(u)) 

Together with [[7|] to propagate the change to both arguments of ^, this derived rule proves, 
for example, the following proof step: 

^_ Vi/j x(i)^x(j) -^Vjj^k (-|g 2 + v(j)s + x(j) ^ -f s 2 + v(k)s + x(k)) 
x (i)^x(j) ^Vj^fe[Vix(i) := -U 2 

Rules 



2 o + v(i)s + x(i)\ x(j)^x(k) 

also apply for assignments without quantifiers, which correspond to 
vacuous quantification Vi : C where i does not occur anywhere. The following rule, for 
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example, is a special case of 

\is = [f(s 



then (f)(9) else ^(/([/(s) := 9]k)) fi 



\<P([f(s):=9]f(k)) 
If / does not occur in term k, then this special case of 

ifs = jfe then 0(0) else 0(/(fc))fi 



simplifies further to 



WW :=*]/(*)) 

Note that the if-then-else case distinction is necessary in general, because the effect of the 
(vacuously quantified) assignment depends on whether s = k holds, which may depend on 
what value k has at the moment. Rules :* |{:*} reduce nondeterministic assignments to 



universal or existential quantification. For the handling of other general nondeterministic 
assignments and nondeterministic differential equations, also see previous work [PlalOa| . 
It is easy, just notationally cumbersome, to extend rules 



|(:=)| : to vectorial ex- 



tensions including systems of quantified assignments to multiple function symbols like 
Vi : C (a(i) := a(i) + 1, t(i) := 0) following the ideas of parallel updates [BP061 IRiim 06j . 
With those, it is also easy to extend rules [']\(') to quantified differential equation systems 
like Vi : C (x(i)' = v(i), v(i)' = a(i)) where the solution is a system of quantified assignments. 

Object Creation. Given our definition of newC as a QHP from Section[5l object creation 
can be proven by the other proof rules in Fig.[2l With this definition of newC, we obtain, 
for example, the following derived rule using 



Vn:C (E(n) = 0-> [E(n) := 1] 



n 



new C}4> 

In addition, axiom [E] expresses that, for sort C^R, there always is a new object n that has 
not been created yet (E(n) = 0), because domains are infinite. This is the only place where 
we are using the assumption about infinite domains. The primary purpose is to simplify 
technicalities that would arise if object creation could run out of objects and may thus fail 
if, e.g., no more cars can be created. If this resource limitation is intended in a particular 
system, it can be modeled easily using patterns like n := new C U fail. 



Quantifiers. For quantifiers, we cannot just use standard rules [Fit96], because these are 
for uninterpreted first-order logic and work by instantiating quantifiers, eagerly as in ground 
tableaux or lazily by unification as in free variable tableaux |Fit96j . QclC is based on first- 
order logic interpreted over the reals [Tar51llCTl9~T] . A formula like 3a : R Vx : R (x 2 + a > 0) 
cannot be proven by the instantiation rules for the quantifiers but it is still valid for reals. 
Thus, for handling quantifiers over the reals, we would like to use the standard decision 
procedure for first-order real arithmetic (i.e., real-closed fields) instead, which is quantifier 
elimination |Tar51l ICH9T] . 

Definition 6.1. (Quantifier elimination). A first-order theory admits quantifier elimi- 
nation if, with each formula 0, a quantifier-free formula QE(^) can be associated effectively 
that is equivalent (i.e., (j) <-> QE(</>) is valid) and has no additional free variables or func- 
tion symbols. The operation QE is further assumed to evaluate formulas without variables, 
yielding a decision procedure for closed formulas of this theory (i.e., formulas without free 
variables). 
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Unfortunately, we cannot use quantifier elimination of the theory of real-closed fields |Tar51[ 
ICH91] either, because it cannot be applied to QdC formulas with modalities, since these 
are quantified reachability statements. Even in discrete dynamic logic, quantifiers plus 
modalities make validity D^-complete [HKTOQl Theorem 13.1]. QE cannot handle sorts 
C/R. 

Instead, our QdC proof rules combine quantifier handling of many-sorted logic based 
on instantiation with theory reasoning by QE for the theory of reals. Figure [2] shows proof 
rules for quantifiers that combine with decision procedures for real-closed fields. Classical 
instantiation is sound for sort R, just incomplete. For example, rule [3r] can solve the 
following arithmetic by instantiation: 

_q > — )> (a + l) 2 > a, 3x x 2 > a 
S^L > -^3xx 2 > a 

Rules lEIrl and IVH instantiate x with arbitrary terms 9, including a new free variable X, in 
which case [3r] and |VD become the usual 7-rules of free- variable proof calculi [Fit961 lFM99j : 

T^<j>{X),3x:C <j>(x),A T,<j>(X),Vx:C <j>(x)^A 

1 rj T^3x:C </>(x),A 1 ' T,\/x:C )-A 

Rules |Vr] and [31] correspond to the liberalized <5 + -rule [HS94J that is a refinement of the 
classical <5-rule of free- variable tableaux |Fit96] . As in our previous work [Pla08a| . rules 
HVl and [H] reintroduce and eliminate quantifiers over R once QE is applicable, because the 
remaining constraints are first-order real arithmetical in the respective variables. In partic- 
ular, the quantifier rules can be used to postpone quantifier elimination until the remaining 
constraints are first-order, where the quantifier can be reintroduced by |iV| and [Pla08aJ. 

Unlike in previous work, however, functions and different argument vectors can occur 
in QdC. If the argument vectors s and t in [IV] have the same value, the same variable 
X can be reintroduced for f(s) and f(t), otherwise different variables X 7^ Y have to 
be used. Whether s and t have the same value cannot always be decided statically, so 
rule |iV| makes a case distinction by an if-then-else. Rule |iV| works accordingly for multiple 
occurrences of / (s) , / (t) , f (u) and so on in arbitrary positions in the formula, where more 
variables X, Y, Z are introduced to quantify over. It is easy to turn rule [iV] into a rule that 
successively substitutes one term f(s) by a fresh variable X everywhere at a time instead 
of handling all f(s), f{i), f{u) at once. 

Rule O can reintroduce an existential quantifier for a free (existential) logical variable 
X and merges all proof branches containing X, because X has to satisfy all branches simul- 
taneously. It thus has multiple conclusions. Rule O reintroduces an existential quantifier 
and performs quantifier elimination for a free (existential) logical variable X that has been 
introduced by Br|Vll before by choosing a fresh variable X for 9. We use the same rule H as 
in previous work and refer to that work [Pla08a] for further explanations of merging. 

Rules [iV| and require that quantifier elimination (QE) is applicable to the resulting 
formula. If the resulting formulas still have occurrences of the quantified variables in the 
scope of modalities, then QE is not applicable and rules [iV| and have to be postponed 
until the modalities have been dealt with by other proof rules from Fig. [2] Even for first- 
order formulas, we cannot just apply classical quantifier elimination in real-closed fields 
[Tar5T], because the first-order theory of real-closed fields does not include function sym- 
bols. For example, Vi (a(i) > 0) is a formula of first-order real arithmetic augmented with 
function symbols, hence quantifier elimination in real-closed fields due to Tarski |Tar51] is 
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not applicable. It cannot even be expressed in quantifier-free form, because its truth-value 
depends on the value of function a at unboundedly many positions. This makes sense. QE 
is a decision procedure for first-order real arithmetic. But first-order logic (even without 
arithmetic) is only semidecidable, so we cannot handle it by QE and need to rely on the 
instantiation rules IVrlVll3rl3ll which are complete for first-order logic. Nevertheless, from 
previous work [Pla08aj , we obtain the following result on how to lift QE to the presence of 
function symbols: 

Lemma 6.2. ( Quantifier elimination lifting [Pla08a| ). Quantifier elimination can 
be lifted to instances of formulas of first- order theories that admit quantifier elimination, 
i.e., to formulas that result from the base theory by substitution. 

For example, Vy (a(i) < y 2 ) is a formula of first-order real arithmetic augmented with func- 
tion symbols such that quantifier elimination in real-closed fields due to Tarski |Tar51] is 
not (directly) applicable. By Lemma f6.2l however, QE can be lifted to this formula, because 
it is an instance of Vy (Z < y 2 ), for Z replaced with a(i). Hence, 

QE(Vy (a(t) < y 2 )) = (QE(Vy (Z < y 2 )))f } = (Z < 0)f ] = a(i) < 



Global Rules. The proof rules in the last block of Fig. [2] depend on the truth of their 
premises in all states, thus the context T, A cannot be used in the premise, because it may 
be specific to the current state. The rules are given in a form that best displays their 
underlying logical principles. The general pattern for applying these rules to prove that the 
succedent of their conclusion holds is to prove that both their premise and the antecedent 
of their conclusion hold. In particular, the antecedent can be thought of as holding in the 
current state, whereas the premise can be thought of as holding in all states because the 
context T, A is gone. 

Rules gen\()gen are Godel generalization rules and can be used to strengthen post- 
conditions: antecedent [a}4> is sufficient for proving succedent [ct]ip when postcondition <j> 



entails ip in all states, as shown in the premise of []<?en Clearly, for rule []<?en if all states 



reachable by a satisfy (j) (antecedent [ct](f)) and (j) implies tp in all states (premise (fr—ttp), 



then ifi also holds in all states reachable by a (succedent [a] - ;/')- Similarly, for rule Qgen 



if some state reachable by a satisfies 4> (antecedent («)(/>) and <f> implies ip in all states 
(premise tfi—ti/j), then tp also holds in some state reachable by a (succedent (a)ip). 

Rule \ind\ is an induction schema for loops with inductive invariant eft [HKTOO, Pla08aJ. 
Rule \ind\ says that <f> holds after any number of repetitions of a if it holds initially (an- 
tecedent) and, for all states, invariant cf) remains true after one iteration of a (premise). If <p 
is true after executing a whenever cf) has been true before (premise), then, if (ft holds in the 
beginning, <fi will continue to hold, no matter how often we repeat a in [a*]</>. 

Similarly, \con\ generalizes Harel's convergence rule [HKTOOJ to the hybrid case with 
decreasing variant if [Pla08a] . Rule [corn expresses that the variant (p(v) holds for some real 
number v < after repeating a sufficiently often (succedent) if ip(v) holds for some real 
number at all in the beginning (antecedent) and, by premise, <p(v) can decrease after every 
execution of a by 1 (or another positive real constant). This rule can be used to show 
positive progress (by 1) with respect to (p(v) by executing a. 



A COMPLETE AXIOMATIZATION OF QdC FOR DISTRIBUTED HYBRID SYSTEMS 



25 



Example. As a simple example illustrating how the QdC proof calculus works, we consider 
the QdC derivation in Fig. [J] for a simple QdC formula. The QdC formula that we consider 
here follows the pattern of the running example formula in (|3.ip . But we simplify the formula 
to consider just one case and postpone the discussion of the full system to Section[9j Here 
we consider the QdC formula: 

Vi^j x(i)^x(j) — > [V? (x(i)' = v(i),v(i)' = —b)]\lj^kx{j)^x(k) (6-1) 

The difference of the simpler QdC formula (|6.ip compared to the full QdC formula (|3.ip is 
that the simpler formula considers only the case of the QHP dynamics where all cars are 
braking. Certainly, if the system would not be safe when all cars are braking (which is 
one possible behavior of DCCS), then it would not be safe always. The other difference 
is that (|6.ip has a weaker assumption in the precondition. It only assumes that cars start 
from different positions (Vz^j x(i)^x(j)), not that they respect the compatibility constraint 

:C A4(i,j). In fact, we are using the derivation in Fig.S]to find out how we need to 
choose A4(i,j) to ensure collision freedom, because A4(i,j) needs to imply at least that all 
cars would remain safe when braking. 

The derivation in Fig.|4] can be used to find out under which circumstances the QdC 
formula (|6.ip . from which we start the derivation at the bottom of Fig.Hl is true. Formula 
(|6.ip claims that cars would never crash if they start at different positions (Vz^j x(i)^x(j)) 
and all cars brake by following the dynamics \/ix{i)" = —b. Since braking is the safest 
operation for cars, we might think that car control would always be safe in this most 
conservative scenario. But that is not the case. If the cars start with incompatible velocities 
and distances, then not even braking can prevent a crash. The premise discovered by the 
QdC derivation in Fig.|4] reveals that collisions will only be prevented by braking if the 
initial velocities and positions satisfy the monotonicity condition A4(j,k) that we have 
already shown in ()3.2|) . 



QE(VX, Y, V, W (j ^ k A X ^ Y -> X<YAV<W V X>YAV>W)) 



m Vi# x(z)^x(j) - 


-^■(j^k -> (x(J)<x(k)Av(j)<v(k) V x(j)>x(k)Av(j)>v(k))) 


1^1 x (i)^x(j) - 


-> QE(Vs>0 (j^k -> -\s 2 + v(j)s + x(j) ^ -f s 2 + v(k)s + x(k))) 


m Vi^jx{i)^x{j),s>0 - 


^(j^k^ -|s 2 + v(j)s + x(j) ^ -fs 2 + v(k)s + x(k)) 


M V ^j s (^ s (j) )S >o - 


^Mj^k (-f s 2 + v(j)s + x{j) / -f s 2 + v(k)s + x(k)) 


x (i)^x{j), s>0 - 


-^Mj^k \iix[i) := -fs 2 + v(i)s + x(i)] x(j)^x(k) 


IMWj x(i)^x(j),s>0 - 


x(i) := — |s 2 + v(i)s + x(i)] "ij^k x(j)^x(k) 


Vi#x(i)^xC?)- 


-Ks>0 -> [Vix(i) := -|s 2 + v(i)s + x(i)]\fj^k x(j)^x(k)) 




-*Vt>0 [Vi x(i) := -\t 2 + v(i)t + x(i)] ^j^k x(j)^x(k) 




-*|Vt (x(i)' = v(i),v(i)' = -b)]Vj^kx(j)^x{k) 



Figure 4: Example of a QdC derivation to prove collision-freedom of simple car control. 

The proof in Fig. U] starts with the conjecture at the bottom (goal). The proof uses 
rule [fj] to turn the quantified differential equation system into a quantified assignment 
with an extra quantifier for the duration t of the evolution. The quantified differential 
equation system is easy to solve. The quantified assignment \/ix{i) := —\t l + v(i)t + x{i) 
solving it can be obtained easily from the solution x := — |t 2 + vt + x of the deparametrized 
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differential equation system x' = v, v ' = —b, just by adding the parameter i back in and 
checking that the resulting terms solve the quantified differential equation. Now the top- 
most logical operator in the succedent is the quantifier Vi. Even though it is a quantifier 
over a real variable, we cannot use the decision procedure of quantifier elimination for 
real-closed fields [T ar51j to handle it, because we do not have a formula of first-order real 
arithmetic, but still a QdC formula with a modality expressing a property of all reachable 
states. Instead, we use rule [W] to postpone quantifier elimination and turn variable t into 
a Skolem function s. This Skolem function has no arguments, because no free (existential) 
logical variables occur in the formula |Pla08a]. After that, we use the standard propositional 
sequent rule RFrl to normalize implications in the succedent into sequent form by moving 
their left-hand side to the antecedent. 

The resulting quantified assignment to x(i) (for all i) takes effect on the postcondition 



Vj^kx(j) 7^ x(k) by skipping over the quantifier Vj^/c with rule [:] and then affecting x{j) 



and x(k) subsequently by rule [:=] (and another application of [:] to skip over 7^, which is 
not shown in Fig. [3]). 

At this point (the top-most use of rule |Vr] in Fig.UJ, we already have a first-order 
formula and it may seem as if we could apply |iV] directly instead of E3 This would not work, 
however, because quantifier elimination works from inside out and will have to eliminate the 
inner quantifier "ij^k before the outer quantifier Vs. Yet, the resulting formula is not an 
instance of first-order real arithmetic (not even when using Lemma|62|, because there are 
dependencies on the quantified variables j, k in function arguments of the resulting formula: 

Vs>0 Vj^k (y-^ 2 + V U) S + x ti) + -^s 2 + v ( k ) s + x (k) 

Instead, the proof in Fig.H] uses rule |Vr] to turn the quantified variables j, k into Skolem 
functions, which, for simplicity, we again denote by j and k. Subsequently, we can use 
rule HV] to reintroduce a quantifier for the Skolem function s. Rule HVl does not produce an 
if-then-else, because s has no arguments. This time, the formula is still not in first-order 
real arithmetic, because function symbols like v(j) occur. However, it is an instance (v(J) 
for V and x(J) for X and v(k) for W and x(k) for 1") of the following formula of first-order 
real arithmetic: 

Vs>0 (j^k -> -^s 2 + Vs + X ^ -\s 2 + Ws + Y J (6.2) 



2 '2 

and thus quantifier elimination can be lifted by Lemma r6.21 The result of quantifier elim- 
ination is an instance (with the same instantiation as above) of the result of applying QE 
to (16. 2D . To improve traceability, we show the application of QE as a separate proof step 
(indicated by |QEp . 

Finally (the top- most rule), we use rule [iV] to finish the deduction. We still cannot yet 
use rule |iV] for j,k, but we can use rule [TV] for the (non-Skolem) function symbols x and v. 
This time, the use of rule [iV] is more involved than before, because the functions x and v 
have arguments. When using rule HVl on 

Vi^j x(i)^x(j)^-(j^k — ^ {x(j)<x(k)Av(j)<v(k) V x(J)>x(k)Av(J)>v(k))) 
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we formally obtain 

QE (MX, Y, V, W (if j = A; then 

j/fcAl/I^ X<XAV<V V X>XAV>V 

else 

j/fcAl/y^ X<YAV<W V X>YAV>W)) 

Since the condition if j = k contradicts the assumption j ^ k, this formula simplifies to: 

QE(VX, y, V, W (j ^ fc A X + Y -> X<YAV<W V X>YAV>W)) 

Simplifications like those arise often and can be exploited for automated theorem proving. 
Applying QE in the above formula yields false, so the derivation in Fig. [J] does not result in 
a closed proof. This is good news, however, because the conjecture at the bottom of Fig.0] 
is not true under all interpretations. The constraints at the top of Fig. [3] can be used to 
construct the constraints required for safety, which coincide with A4(j,k) from ()3.2|) . 

Derived Rules. Several useful rules can be derived from the QdC rules in Fig.[2]to shortcut 
common reasoning cases. For instance, the following derived rules characterize the effect of 
creating objects of type C on actualist quantifiers over type C! (where n is of type C): 

[E(n):=l]0(n) A Vi : C! [E(n) := \\4>(i) [E(n) := l]0(n) V 3i : CI [E(n) := 11>(z) 

1 ' [E(n):=l]Vt:C! <f>(i) [ ' [E(n) := l]3t : C! <f>(i) 

They commute the effect [E(n) := 1] of object creation with quantification, retaining the 
effect on the new object explicitly. Rule liA/| states that the new object denoted by n — 
which may not have been created before — needs to satisfy (f)(n) too in order for Mi : C! <f>{i) 
to hold after E(n) := 1 ensures that n is created. Dually, rule Iz/EII states that created object 
n is an alternative choice for i, in addition to the previous domain of C\. 

A similar derived rule \uA\ states that, after creating an object of type C, this created ob- 
ject will be affected by actualist quantified assignments ranging over C!, so that commuting 
has to take care of the effect on the new object explicitly. 

[Vi:C!u{n} f(s) := 0][E(n) := 1]0 
[ " ) [E(n):=l]|Vi:C7!/(5):=^ 

For this situation where n is adjoined to the range of quantification (n might even have been 
in the range before, so the union is not necessarily disjoint), we use the following mnemonic 
abbreviation in the premise of \i'A\ 

Vi:C!u{n} f(s) :=9 = Vi : C (f{s) := if i = n V E(i) then 9 else f(s) fi) 

Note that we cannot simply apply the assignment to n separately before Vi : C! f(s) := 6 as 
in i := n; f(s) := 6; Mi : CI f(s) := 0, because that would change / twice if n already existed 
initially. 

7. Soundness 

We have presented a proof calculus for QdC in Sectional One of the most important 
questions about it is whether we can rely on the proofs and know that every QdC formula 
proven in the QdC calculus is really a valid formula. That is, the question is whether the 
QdC calculus is sound. An unsound calculus would be disastrous, because we could use it 
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to "prove" counterfactual properties. We need to make sure that the proof calculus fits to 
the semantics of QdC. Indeed it does. 

Theorem 7.1. (^Soundness,). The QdC calculus is sound: every QdC formula that can be 
proven in the QdC calculus is valid, i.e., true in all states. 



Proof. The calculus is sound if each rule instance is sound. Some of the rules of the QdC 
calculus are even locally sound, i.e., their conclusion is true at state a if all its premises 
are true at <r, which implies soundness. The proofs for the propositional rules, and regular 
rules |[;]|(;)|[U]|(U)|[?]|(?)1 are as usual [PlalOb] . We refer to previous work |Pla08al IPTaTOb] 



for the soundness proofs for l3r|Vl|Vr|31|i3l which are more involved. 

] Rule |iV| is locally sound. For this, we assume that the premise holds, i.e., we as- 
sume a (= QE(VX,y(ifs = rthen*(X)-^*(X)else$(X)^-*(y)fi)). Since QE yields 
an equivalence, we conclude a \= VX, Y (if s = fthen &(X)->fy(X) else <5(X)->\r/(Y~) fi). 
This is equivalent to a \= if s = fthen VX ($(X)-)>*(X)) elseVX,y ($(X)-^(y))fi, be- 
cause the fresh variables X, Y do not occur in s or t. Then we assume the antecedent 
of the conclusion is true, i.e., a \= $(/(s)). We conclude that the succedent of the 
conclusion is true, a \= \P(/(t)), by choosing for X and <r[/(F)] for Y in the 

premise. If a |= _i (s = t) then a |= ^(f(t)) follows directly from the premise. If, oth- 
erwise, a \= s = t, then a \= ^(f(t)) also follows, because the choice cr[/(s)] for X is 
identical to the choice <r[/(r)] for Y in the premise. By admissibility of substitutions, 
any variables occurring in terms s and t are free at all occurrences of f(s) and f{t), hence 
their value is the same in all occurrences. 



(:=} Rule (:=} is locally sound for injective \/i : C f{s) := 6, which we abbreviate as 
A. Injective A give a deterministic transition. We assume that the premise holds 
cr |= if 3i : C s= {A)u then 3i : C (s= (A)u A <j)(ff)) else <f>(f((A)u)) fi. We now show that 
a \= <f)((yi:C f (s) := 6) f (u)) . First assume that, with a fresh variable z, <j)(z) is a 
first-order formula without modalities or quantifiers. Let r be the (unique) state with 
(cr, r) S p(Vi : C f{s) :=9) = p{A). By renaming, we can assume the quantified variable 
i not to occur anywhere else than in A. We write this occurrence constraint as i ^ u and 

• Suppose a \= 3i:C s = {A)u, then a \= 3i : C (s= (A)u A <fi{0)) by premise. That is 
equivalent to: there is an e € ct(C) with a? \= s = (A)u A <p(0). That means a\ d z |= <p(z) 
for d := of[#] by the substitution lemma. This is equivalent to a d z \= (f>{z), because 
i $l 4>(z), i.e., i does not occur in 4>(z), so that its value is irrelevant. We want to show 
that a d z |= 4>(z) also holds for d = al{A)f(u)], because this implies a \= 4>{{A) f (u)) by 
the substitution lemma. Now 

al(A)f(u)j = r[/(u)] = r(/)(r[5]) = r(f)(al(A}uj) ± r(/)(of H) ^ of[0\ = d 

Thus a \= 4>{{A) f (u)) . The equality marked * holds, because the premise implies 
erf \= s = (A)u, which yields 

of H = o-fKAM^ o-KAM 

• Suppose a \= -i3i:C s = {A)u, then a (= <p(f({A)u)) by the premise. Consequently 
a z H ^(z) f° r ^ := <T I/((^)^)1 by the substitution lemma. We show that a d z |= <p(z) 
also holds for d = a\{A)f{u)\, because this implies a \= 4>{{A)f{u)) by the substitution 
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lemma. This time we have 

al(A)f(u)j = rlf(u)} = r(/)(r[ul) = .(/)(r[5]) = a(f)(a{(A)uj) = a{f((A)u)j = d 

The equality marked * holds, because — by assumption a (= :Cs = (A)u — we know 
that for position t[uJ = cr[(„4)u] there is no e £ cr(C) such that 

<H=Tln] =( T[(^)nl l i?<[(^] 

Thus A has no effect on the interpretation of / at position t[-u] and a and r agree at 
that position. 

In both cases, equivalence of premise and conclusion can be established by following the 
equations and equivalences backwards, which also gives a proof for the dual rule 



For the case where (j)(z) contains modalities or quantifiers, the proof is accordingly using 
the substitution lemma and the fact that the interpretation of the symbols occurring in 
(A)f(u) is not affected by the modalities and quantifiers in cj)(z) (since all substitutions 
need to be admissible for QdC rules to be applicable). 

Local soundness of rule [[ij] for injective quantified assignments Vi : C /(s) := 9 is a simple 
consequence of the fact that a quantified assignment to / cannot affect the evaluation of 
another operator Y ^ f, but only its arguments (assuming admissible substitutions). 
[E] The soundness of axiom [E] (i.e., validity of the conclusion) is a simple consequence of the 
fact that we have assumed finite support for the createdness flag E(-) and that domains are 
infinite. That is, there are only finitely many e £ cr(C) with erf \= E(i) = 1, yet domain 
er(C) is infinite. Consequently, in every state a, there always is a choice e for i that has 
not been created yet (erf \= E(i) ^ 1). 



('} Rule (') is locally sound. Let yg(t) be simultaneous solutions for the respective dif- 
ferential equations with symbolic initial values f(s) and let ( V« : C f (s) := yg(t)) de- 
note the quantified assignment (Vi:C f(s)'-=yg(t)}- Assume a satisfies the premise: 
a (= 3t>0 (x A (Vi : C f(s) := yg(t))4>) , with V0<t<t (Vi : C f{s) := yg{t))x abbreviated as 
X- By premise, there is a real r > such that of \= x A (Vi : C f(s) := ys(t))(j>. Abbre- 
viate Vi : C f(s)' = Qhx by V. We have to show that a \= {T>)<p. Equivalently, we 
show of |= (T>)(j), because t is a fresh variable that does not occur in T> or <p. Let 
function cp: [0, r] — > S be defined such that (a,ip(C)) £ p(f(s) -=yg(t)) for all £ £ [0, r\. 
By premise, ^(0) is identical to a and (f) holds at <p(r). Thus it only remains to be 
shown that <p respects the constraints for the flow function ip in the definition of the 
semantics of p(V ) in SectionlH In fact, (p obeys the continuity and differentiability prop- 
erties required for well-definedness of time-derivatives by the corresponding properties 
of the solution yg(t). Moreover, for any e £ cr(C), <p{()ilf(s)} = &tilVs(t)l nas a deriv- 
ative of value </?(C)i[$]> because yg is a solution of the quantified differential equation 
Vz : C f(s)' = with corresponding initial values a(f(s)). Further, it can be shown that 
the evolution invariant region x 1S respected along (p as follows: By premise, a\ \= x 
holds for the initial state of, thus (p(C) \= X f° r au C € [0, r]. Combining these results, 
we can conclude that <p is a witness for a (= {T>)(j). 

The converse direction can be shown accordingly to prove equivalence and the dual rule 
[f|| for quantified differential equations with unique solutions (see end of SectionH]) . With- 
out unique solutions, the rule is more complicated, but still works: all parameters of all 
parametric solutions will need to be quantified over in addition to time t>0. 

) are locally sound by a simple consequence of the fact that arbitrary 
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nondeterministic assignment of 9 for any j of type C to n is the same as corresponding 
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gen 



the premise 
is similar. 



quantification over C. The semantics of [ Vj : C n:=9] then is equivalent to universal 
quantification, that of (Vj : C n:=9) is equivalent to existential quantification. 

Rules gen\() gen]ind\con\ are sound (but not locally sound) by a variation of the 
usual proofs [HKT00, PlalOb] . For Qgen, let premise 4>— >ij) be valid. Let the antecedent 
be true in a state: a \= {a)<j>, i.e., let (a, r) G p(a) with r |= (j). Hence 
implies r \= (j) — > tp, thus t \= ip, which implies a \= {a)ip. The proof for 
\ind\ Let premise eft— >[a]4> be valid and let the antecedent of the conclusion be true in a, 
that is a (= <f>. By premise, r |= 4> for all states r with (cr, r) G We thus conclude 

a \= (j) — > [a*]</> by induction along the series of states reached from u by repeating a. 
i con i Assume that the antecedent is valid and that the premise holds in a. By premise, 
we have that t|=u>0A tp(v) — > (a)ip(v — 1) for all states r. By antecedent, there is 
ad£l such that \= 99(f). Now, the proof is a well-founded induction on d. If d < 0, 
we have a \= {a*)3v<0 ip{v ) directly for zero repetitions. Otherwise, if d > 0, we have, 
by premise, that 

cr^ |= v > A cp(v) ->■ (a)ip(v - 1) 
As v > A 99(f) holds true at cr^, we have r |= (/?(w — 1) for some r with (cr^, r) £ /?(o;). 
Thus, t^ _1 |= 99(f) satisfies the induction hypothesis for a smaller d and a reachable r, 
because (a, r) G p(a) as f does not occur in a. The induction is well-founded, because d 
decreases by 1 up to the base case d < 0. □ 



8. Completeness 

The verification problem for distributed hybrid systems is extremely challenging. It has 
three independent sources of undecidability. Thus, no verification technique can be effective. 
Hence, QdC cannot be effectively axiomatizable. The discrete fragment of QdC is not 
effectively axiomatizable and the discrete fragment of QHPs is a computationally complete 
sublanguage. The continuous fragment of QdC is also not effectively axiomatizable. The 
fragment with only structural and dimension-changing dynamics is not effective either, 
because it can encode two-counter machines in link data structures. As a stronger result, 
we give a simple proof showing that each of those fragments of QdC can define first-order 
integer arithmetic and are, thus, affected by Godel's incompleteness theorem |God31] , 

Theorem 8.1. (^Incompleteness of QdC). The discrete fragment of QdC, the contin- 
uous fragment of QdC, and the fragment of QdC with structural and dimension- changing 
dynamics are not effectively axiomatizable, i.e., they have no sound and complete effective 
calculus, because natural numbers are definable in each of those fragments. 

Proof. We prove that natural numbers are definable among the real numbers of QdC inter- 
pretations in all three fragments. Then these fragments extend first-order integer arithmetic 
such that the incompleteness theorem of Godel [G6d31j applies. Godel's incompleteness 
theorem shows that no logic extending first-order integer arithmetic can have a sound and 
complete effective calculus. Natural numbers are definable in the discrete fragment using 
repetitive additions without continuous evolutions, quantified state change, or first-order 
function symbols: 

nat(n) o (x := 0; (x := x + 1)*) x = n. 
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In the continuous fragment, an isomorphic copy of the natural numbers is definable using 
linear ordinary (non-quantified) differential equations without first-order function symbols: 

nat(n) o 3s 3c 3r (s = A c = 1 A r = A (s' = c, c' = -s, r' = l)(s = A r = n)). 

These differential equations characterise sin and cos as unique solutions for s and c, respec- 
tively. Their zeros, as detected by r, correspond to an isomorphic copy of natural numbers, 
scaled by tt, i.e., nat(n) holds iff n is of the form kit for a k £ N; see Fig.[5j The initial 
values for s and c prevent the trivial solution identical to 0. 




Figure 5: Characterisation of N as zeros of solutions of differential equations. 

Integer arithmetic for natural numbers is also definable in the fragment with only 
structural and dimensional dynamics. The proof is somewhat more involved, because we do 
not consider data arithmetic to be part of that fragment. Instead, we characterize natural 
numbers by chains of links along the values of a function p, where we encode zero by a 
constant symbol z: 

nat(n) o {(In ^ z; n := p(n))*) n = z. 
We characterize addition by a QHP pluses, n,m) to express that the result of adding the 
natural numbers represented by n and m yields the number represented by s: 

plus(s,n,m) = s := z; (in ^ z; n:=p(n); v := new; p(v) := s; s:=v)*\ 

(1m ^ z; m:=p(m); v := new; p(v):=s; s:=i/) ; ?(n = z Am = z) 

The idea behind this characterization is to create a new chain of links along the values of p 
by first creating exactly as many links as we can follow along p when starting from n, and 
then continue creating exactly as many links as we can follow along p when starting from 
m, instead; see Fig.(6j The number of links of the result s then is the sum of the respective 
numbers of links of n and m. 




n + m 



new copy of n append new copy of m 



Figure 6: Characterization of N addition with p links in dimensional dynamics. 



We characterize multiplication by a QHP times(s, n, m) to express that the result of 
multiplying the natural numbers represented by n and m yields the number represented 
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by s: 

times(s,n,m) = s := z; {In^z; n:=p(n); plus(t,m, s); s:=t) ; ?n = z 

The idea behind this characterization is to compute multiplication by a corresponding num- 
ber of additions characterized by plus(t,m, s). That is, the product of n and m can be 
computed by adding m to an accumulator s, n times. □ 

The standard way to show adequacy of proof calculi for problems that are not effective 
is to prove completeness relative to an oracle for handling a fragment of the logic. Unlike 
in Cook/Harel relative completeness for discrete programs |Coo781 IHKTOO] . however, QdC 
cannot be complete relative to the fragment of the data logic (many-sorted first-order logic 
with reals), because first-order real arithmetic is decidable and many-sorted first-order logic 
is semidecidable. If the QdC calculus would be complete relative to its data of many- 
sorted first-order logic with real arithmetic, then, since this is a semidecidable logic, the 
QdC calculus would be complete altogether, which would contradict Theorem l8.U Thus, we 
need a different basis for a relative completeness argument. Unlike in conventional discrete 
programs, the complexity of distributed hybrid systems truly originates from the actual 
dynamics, not the data. 

Theorem l8.ll shows that the discrete fragment, the continuous fragment, and also the 
structural/dimensional fragment of QdC each cause non-axiomatizability of QdC. The com- 
bination of these fragments and their repeated interaction in the QHP dynamics of QdC 
cannot be any easier. We prove that, nevertheless, our QdC calculus is a complete axiom- 
atization relative to the fragment of QdC that has only quantified differential equations 
in modalities. We call this sub logic FOQD, the first-order logic of quantified differential 
equations, i.e., (many-sorted) first-order logic with real arithmetic augmented with for- 
mulas expressing properties of quantified differential equations, that is, QdC formulas of 
the form [Vi : C f(s)' = 6 h x]F. The dual formula (Vi : C f{s)' = 6 & x)F is expressible as 
-.[Vi : C f(s)' = 9kxhF. Note that the inclusion of \ in FOQD is not essential |Plal2j . 

Theorem 8.2. ( AxiomatizationJ. The calculus in Figgis a sound and complete axiom- 
atization of QdC relative to quantified differential equations, i.e., every valid QdC formula 
can be derived from valid FOQD tautologies. 

Proof Outline. The (constructive) proof, which, in full, is contained in the remainder of 
this section, generalizes our earlier proof for static, unquantified hybrid systems [ Pla08a] to 
QdC and distributed hybrid systems. We prove that every valid QdC formula can be proven 
in the QdC calculus from elementary properties of quantified differential equations (valid 
oracle instances). The crucial step is to show that every valid property of a repetition a* of a 
QHP q for a distributed hybrid system can be proven by \ind\ or iconi with a sufficiently strong 
invariant or variant that is expressible in QdC. For this, we show that QHP transitions can 
be characterized in QdC One decisive difference to our previous proof |Pla08aj is the need 
to show that states can be characterized by a fixed-size vector of real numbers, and can 
thus be quantified over. This is easy in static finite-dimensional systems, but a fairly tricky 
challenge in unbounded varying-dimensional systems with first-order functions. □ 

This central result shows that properties of distributed hybrid systems can be proven 
to exactly the same extent to which properties of quantified differential equations can be 
proven. Proof-theoretically, the QdC calculus completely lifts verification techniques for 
quantified continuous dynamics to distributed hybrid dynamics. Even though distributed 
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hybrid systems have numerous independent sources of undecidability, we have shown that 
all true QdC formulas can be proven in our QdC calculus, if only we manage to tame 
the complexity of the continuous dynamics. Despite these new independent sources of 
undecidability, we have shown that QdC can still be axiomatized completely relative to 
differential equations, only now they are quantified differential equations. 

Another important consequence of this result is that decomposition is successful in 
taming the complexity of distributed hybrid systems. The QdC proof calculus is strictly 
compositional. All proof rules prove logical formulas or properties of QHPs by reducing them 
to structurally simpler QdC formulas. As soon as we understand that the distributed hybrid 
systems complexity comes from a combination of several simpler aspects, we can, hence, 
tame the system complexity by reducing it to analyzing the dynamical effects of simpler 
parts. This decomposition principle is exactly how QdC proofs can scale to interesting 
systems in practice. The relative completeness theorem 18.21 gives the theoretical evidence 
why this principle works in general. 

In the remainder of this section, we present a fully constructive proof of Theorem l8.2i 
We have already shown that the QdC calculus is a sound axiomatization of QdC in The- 
orem l7.ri We need to prove that the QdC calculus is a complete axiomatization relative 
to quantified differential equations: every valid QdC formula can be derived in the QdC 
calculus from elementary properties of quantified differential equations. We need to prove 
that every valid QdC formula can be derived in the QdC calculus from a finite set of valid 
FOQD tautologies. A road map of the proof of Theorem l8.2l that we present here is above. 

The basic structure follows that of our relative completeness proof for unquantified dif- 
ferential dynamic logic for fixed-dimensional static hybrid systems in previous work |Pla08a] . 
Here we generalize the proof to QdC. A fundamental difference to previous work is that 
states can be characterized trivially in fixed-dimensional static hybrid systems, but it is 
not obvious why a finite formula would be sufficient in varying dimensions. In (dynamic) 
distributed hybrid systems, we have to prove that there is a finite formula that can charac- 
terize and identify all states (see Section [8T2j) . In fixed-dimensional static hybrid systems, 
states can be characterized and identified trivially by a fixed vector of real numbers for each 
system variable. In QdC, instead, states are full first-order structures with interpretations 
of functions for all function symbols and the ability to characterize semantic states in logic 
is no longer obvious. States are no longer assignments of real numbers to a finite number 
of variables. In QdC, states are full first-order interpretations of function symbols. 

Natural numbers are definable in FOQD by Theorem l8.Il Thus, we allow quantifiers 
over natural numbers like Vx : N <p and 3x : N </> and over integers \/x:Z </> as abbreviations. 

8.1. Characterizing Real Godel Encodings. As the central device for constructing a 
FOQD formula that captures the effect of unboundedly many repetitive hybrid transitions 
and just uses finitely many real variables, we show that a real version of Godel encoding is 
definable in FOQD. That is, we show that there is a FOQD formula that reversibly packs 
finite sequences of real values into a single real number. 

Observe that a single differential equation system is not sufficient for defining these 
pairing functions as their solutions are differentiable, yet, as a consequence of Morayne's 
theorem [Mor87], there is no differentiable surjection K — > M 2 , nor to any part of R 2 of 
positive measure. We show that real sequences can be encoded nevertheless by chaining the 
effects of solutions of multiple differential equations and quantifiers. 
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Lemma 8.3. ^R-Godel encoding,). The formula at(Z,n,j, z), which holds iff Z is a real 
number that represents a Godel encoding of a sequence of n real numbers with real value z 
at position j (for a position j with 1 < j < n ), is definable in FOQD. For a formula (f>(z) 



Proof. The proof is an immediate corollary to a result from previous work [Pla08a[ Lemma 4] . 



8.2. First-order State Identification. The crucial step in the proof of Theorem l8.2l is 
the construction of QdC (in)variants that are strong enough to characterize properties of 
repetition. In order to be able to characterize QHP state transitions in QdC (in)variants 
for the completeness proof, we first need to find formulas that characterize/identify states. 
For finite-dimensional systems of a fixed dimension n, states can simply be characterized 
completely by the values of all n real state variables. A particular state could be char- 
acterized uniquely by the formula x = 2 A y = 0.5 A z = —0.382, for example. As a trivial 
corollary to Lemma f8.3l states can then even be characterized uniquely by one real number 
when using the M-G6del encoding. For infinite-dimensional systems, systems with changing 
dimension, or systems with a dynamics that depends on evolving interpretations of function 
symbols f(s), the situation is more difficult. After all, a state of QdC is a full first-order 
structure with functions as interpretations of function symbols, and these interpretations 
can change from state to state. Furthermore, in order to navigate among states during the 
completeness proof, we need to be able to characterize the current first-order state, but also 
to recall a previously identified first-order state and express what holds true at this state. 

We show that the first-order states reachable with QHP a from an initial state can, 
nevertheless, be characterized uniquely by real numbers, which can thus be quantified over. 
Furthermore, we show that this correspondence can be axiomatized in FOQD. One key 
observation is that the first-order interpretations can change from state to state, but only 
according to the dynamics of the QHP. Intuitively, the difference of any reachable first- 
order state to the initial state can be characterized by a finite list of differences to the 
initial state. Clearly this difference concerns only finitely many symbols occurring in a. It 
also concerns only finitely many positions of their interpreted functions, because actualist 
quantified assignments and actualist quantified differential equations only change the in- 
terpretation of finitely many function symbols at finitely many positions (actual quantified 
domains C\ occurring in actualist quantifiers of QHPs are finite). Note that it is crucial 
for this argument that we have assumed the actual existence predicate E(i) to have finite 
support. 

Lemma 8.4. ('State identification^. Let £{, be a finite set of function symbols contain- 
ing E(-). The operators \ and @ ; which identify and recall states reachable by QHPs, are 
definable in FOQD such that: 

(1) For every QHP a with BV(a) C £ 6 , every variable 3 of sort M, and every state a, 
the formula is true in at most one of the states reachable by a from a. That is, 
there is at most one state l such that (o~,l) E p(a) and l \= 

(2) For every QHP a with BV(a) C S^, every variable 3 ^ of sort M, every formula (ft, 
and every state a, the formula @3 4> is true in any state reachable by a from a if and 
only if (j) is true in the (unique) state that is reachable by a from a in which 13 holds 




□ 
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(provided such a state is reachable at all, otherwise the truth-value of @ 3(f) is arbitrary). 
That is, suppose there is a state i such that (o~,l) £ p(a) and i (= 4,3 (thus, by caseUi i 
is unique with that property). Then for any state r with (a, r) £ p(a), it is the case that 
t \= @3(f) if and only if l \= (f>. If, on the contrary, there is no state i with (cr,i) £ p(a) 
and i \= 13, then this lemma makes no statement concerning the truth of formula @ 3 (f> 
at any state r. 

Proof. The formulas \. 3 and @ 3 (f> are like the here and at operators of hybrid-nominal logic. 
We show that they can be characterized by FOQD formulas. For defining J, 3 and @3(f>, we 
use an auxiliary function isf(3, o) to improve readability. The formula 9 = isf(3, o) is true if 
the value of 9 coincides with the value of / at position o according to the state characterized 
by 3 (i.e., where \,3 is true). We characterize 9 = isf(3,o) by the following FOQD formula: 

if3s:N (s < m Al| m) = o) then 3s:N (s <mAl| ra) = oA9 = Yj m ^)e\se9 = /(o)fi 

where 3 is split into the following abbreviations m := 3^ ^f\x := 3^f \ 3 , Y := 3^ ^ 
further d is the number of symbols in Xj, and i is the index of / in 

The function symbol isf(3,o) gives the value (9) of function / at position o at the state 
characterized by the real number denoted by 3. It can be defined easily using the real pairing 
function from Lemma[8]3j The basic idea is to understand 3 via the real pairing function 
as a list of length m of position/value pairs (Xi /Yg ), which characterize changes to 
the value f(o) for each of the finitely many function symbols / £ Using an arbitrary 
but fixed ordering, these function symbols / are identified with their index d in The 
most important insight for the proof is that, for every state reachable by a from a, the 
list of changes of / compared to f(o) at a is always finite after finitely many transitions of 
quantified state change with finite support (see end of Section[5]) . Consequently, the list of 
changes can always be encoded by one (finite) real number according to Lemma[8]3j 

Using the auxiliary definition 9 = isf(3,o), we characterize cases [1] and [21 that is J, 3 
and @3(p by the following FOQD formulas: 

],3 = A Vo : Sj f(o) = isf(3, o) where Sf is the sort of the arguments of / 

@3(p = <Vi:C Vu:R f(i)' = u){<f>Al3) 

The definitions do not need recursion, so that we can consider occurrences of the defined 
notations as syntactic abbreviations for quantified variables satisfying the respective defini- 
tions (like for Lemma[8]3]). 

Cased) The characterization for \.3 is defined as a conjunction over all relevant function 
symbols / £ E& asserting that the value f{5) of / at each position o of the sort Sf of / is 
identical to the corresponding value isf(3,o) characterized by 3. 

Case [2j The characterization for @ 3 (ft uses a quantified differential equation with a 
variable u that only occurs on the right hand side and thus changes / at all positions i 
with an arbitrary slope u. The @3(f) characterization then checks if the appropriate state 
characterized by 3 has been reached using J, 3 and further expresses that (f> holds at this state. 
By case[H we know that \,3 holds in at most one of the states reachable by a from a. In the 
quantified differential equation system for @ 3 (f>, the second quantified variable u amounts 
to nondeterministically specifying a slope u for each f{i). Unlike i, quantified variable u 
only occurs on the right hand side of the quantified differential equation. Consequently, 
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the semantics (case[2]of the transition relation p(a) defined in Section[4|) defines the states 
corresponding to all choices for u to be reachable. These respective choices for u include the 
choice that leads to the state characterized by 13, e.g., by choosing slope u := isf(3, i) — f(i) 
for each i and evolving for 1 time unit. To simplify notation, we define @3(f) only for 

= {/}• The construction is repeated accordingly (by nesting modalities) for each / G 
which are finitely many. The createdness flag E(-) needs to be part of Ej, so that object 
creation is taken care of on the fly. □ 



8.3. Expressibility and Rendition of Quantified Hybrid Program Semantics. In 

order to show that QdC is sufficiently expressive to state the invariants and variants that 
are needed for proving valid statements about QHP loops with \ind\ and \con\ we prove 
an expressibility result. We give a constructive proof that the state transition relation of 
QHPs is definable in FOQD, i.e., there is a FOQD-formula lZ a (3) characterizing the state 
transitions of quantified hybrid program a from the current state to the state characterized 
by 3 (a real variable that characterizes a state by way of Lemma[83]). For this, we need to 
characterize the dynamics of QHPs, which are dynamic distributed hybrid processes with 
repetitively evolving discrete, continuous, structural, and dimension-changing dynamics, 
equivalently by quantified differential equations in FOQD. 

Lemma 8.5. ('Program rendition,). For every QHP a with symbols among a finite set 
E;, 5 {E(-)} there is a FOQD-formula 7Z a (3) with one additional free variable 3 of sort R 
such that 

\= TZ a (3) o (a) 13 



T^ii : C /(s):=6>(3) = Vo \ Sf 

(if 3i : C o = s then 3i:C (o = s A 9 = isf(3, o)) else /(d) = isf(3, o) fi) 
A /\ \/o:Sg g{o) = is g {3,o) 

9&b\{f} 

n^, c m=e (3) = (Vi:C m' = 9)13 

Kvt-.c fW=ek x V) = {Vi:C f(s)' = 9k X )l3 
K 7x (3) = X Al3 
TZfs Ul (3)=n^3)\/n y (3) 
Tlp. 7 (3) = 355 (72.^(58) A® 03 7^(3)) 

Hp* (3) = 3*B3n:N (|5S^ n) A 5S^ n) = 3AVi:N(l<i<n @ 5S 4 (n) TZp(fB\%))) 
Figure 7: Explicit rendition of QHP transition semantics in FOQD 



Proof. The program rendition is defined inductively in Fig. [71 The characterization of quan- 
tified assignments is a variation of the characterization of J, J from the proof of Lemma[H31 
The only difference is that the value 9 is used instead of /(d) for positions o that are 
affected by the quantified state change, i.e., 6 is of the form s for some i (where the quan- 
tified assignment matches as expressed by 3i:C o = s). Quantified differential equations 
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give FOQD-formulas already, because J, 3 is a FOQD-formula, hence no further reduction 
is necessary. 

With a finite formula, the characterization of repetition IZp* (y) in FOQD needs to cap- 
ture arbitrarily long sequences of intermediate first-order states and the correct transition 
between successive states of such a sequence. To achieve this with first-order quantifiers, we 
use the real Godel encoding from Lemma [&3l in Fig. [7] along with the first-order state iden- 
tification from Lemma r8.4l to map unbounded sequences of real first-order states reversibly 
to a single real variable 03, which can be quantified over in first-order logic and identify a 
first-order state with it by Lemma [8.4[ □ 

Using the QHP rendition from Lemma [S31 to characterize modalities, we prove that 
every QdC formula can be expressed equivalently in FOQD by structural induction. 

Lemma 8.6. ("ExpressibilityJ. QdC is expressible in FOQD: for all QdC formu- 
las (ft € Fml there is a FOQD-formula eft £ YtsAfoqd that is equivalent, i.e., (= (ft -<->• (ft . 
The converse holds trivially. 

Proof. The proof follows an induction on the structure of formula (ft for which it is imperative 
to find an equivalent (ft in FOQD. Observe that the construction of (ft from (ft is effective. 
0. If is a first-order formula, then <jr := (ft already is a FOQD-formula such that nothing 
has to be shown. 

(1) If (ft is of the form <p V ift, then by induction hypothesis there are FOQD-formulas (p , ijr 
such that 1= cp <-> (p" and 1= ip o ift , from which we can conclude by congruence that 
1= (ip V ift) o (<p V ip") giving 1= (ft f-)- $ by choosing •p? V ^ for $ . Likewise reasoning 
concludes the other propositional connectives or quantifiers. 

(2) The case where <p is of the form {a)ip is a consequence of the characterization of the se- 
mantics of QHPs in FOQD. The expressibility conjecture holds by induction hypothesis 
using the equivalence of explicit QHP renditions from Lemma[83J 



8.4. Relative Completeness of First-order Assertions. As special cases of Theo- 
rem !8.2| we first prove relative completeness for first-order assertions about QHPs. These 
first-order cases constitute the basis for the general completeness proof for arbitrary QdC 
formulas. 

In the sequel, we use the notation \~x> (ft to indicate that a QdC formula (ft is derivable 
from a set of FOQD-tautologies, which is equivalent to saying that (ft is derivable in the 
QdC calculus augmented with a single oracle axiom T>, that gives all valid FOQD-instances. 
The QdC calculus contains a complete calculus for propositional logic and for many-sorted 
first-order logic. We implicitly use simple propositional reasoning (using the Ictttl -rule) to 
glue together subproofs propositionally. 

Proposition 8.7. (^Relative completeness of first-order safety,). For every QHP 
a and all FOQD formulas F, G 

\= F -> [a)G implies F — > [a}G . 



(3) 



(= (a}tp o 33 (1Z a (3) A @3ift^) . 
The case where (ft is [a\ift is again a consequence of Lemma[83J 

N [a]ip o \/3(K a (3) -> @3ift b ) . 



□ 
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Proof. We generalize the relative completeness proof by Cook [Coo78] to QdC and follow 
an induction on the structure of program a. In the following, IH is short for the induction 
hypothesis. 

(1) The cases where a is of the form f(s) := 9, ?x, /3 U 7, or j3; 7 are consequences of the 
soundness of the rules 



U 



and 



which are equivalence rules. Consequently, 



whenever their conclusion is valid, their premise is valid and of smaller complexity 
(the programs get simpler), hence the premise is derivable by IH. Thus, we can derive 
F — > [a]G by applying the respective rule. For [:=] and [:] , respectively, the premise 
is simpler because the quantified assignment is only applied to structurally simpler 
expressions (u) in the premise than in the conclusion (f(u)) while the program stays 
the same. For nondeterministic assignments, the reasoning is similar using equivalence 
rule 



:* 



instead of 



(2) 



Again, the premise is valid, and already a FOQD formula, hence 
derivable as an T> axiom directly. A formal rewrite proof along these lines is a simple 
modification of prior work [BP06] . We explicitly show the proof for (3; 7 as it contains 
an extra twist. 

N F -> \P;i\G implies N F [P][y]G. By LemmaESl there is a FOQD-formula G* 
such that \=G b ^ [y]G. From the validity of N F -> [f3]G\ we can conclude by IH 
that h v F^[/3]G b is de rivabl e. Similarly, N G b -> [j]G yields V v G b -> [j]G by IH. 

the latter derivation can be extended to a derivation 



gen 



(3) 
(4) 



With an application of 

of hp [j3]G b — >•[/?] [7] G. Combining the above derivations propositionally by a cut with 
[/3]G b , we can derive \~v F^[fi\[l]G, from which [[-]] yields \~v F— >[{3;j]G as desired. 
t= F — > [Vi : G /(s*)' = 0&x]G is a FOQD-formula and hence derivable as a P axiom 
directly. 

1= F — > [P*]G can be derived by induction. For this, we define the invariant as a FOQD 
encoding of the statement that all potential poststates of (3* satisfy G according to 
Lemma l8.6l 

4> = ([/?*] G) b = V3 (7£g* (3) @3G) . 
Since F <j) and (j) — > G are valid FOQD-formulas according to the semantics, they 
are derivable by T>. By \\gen \~d [f3*](j)— > [f3*]G is derivable from the latter. Likewise, 
(j) — > [f3](j) is valid according to the semantics of repetition, thus derivable by IH, since j3 
is less complex. Now \ind\ yields h-p cj)—> [(3*](fi- Combining the above derivations propo- 
sitionally by a cut with [P*]<f> and 4> yields hx> F->[(3*]G. □ 

Proposition 8.8. (^Relative completeness of first-order liveness ). For each QHP 
a and all FOQD-formulas F, G 

\= F — > (a)G implies \~v F — > (a)G . 



Proof We generalize the integer arithmetic completeness proof by Harel [Har79] to the 
hybrid case. Most cases of the proof are simple adaptations of the corresponding cases 
in Proposition l8.7[ What remains to be shown is the case of repetitions. Assume that 
N F — > (f3*)G. To derive this formula by \con\ we use a FOQD-formula <^>{n) as a variant 
expressing that, after n iterations, j3 can lead to a state satisfying G. This formula is 
obtained from Lemma l831l8.6l as ((f3*)G) b = 33 (IZp* (3) A @ 3G), except that the quantifier 
on the repetition count n is removed such that n becomes a free variable (plus index shifting 
to count repetitions): 



(p(n-l) = 305 (|*BS n) A©^ =3AVi:N (1 < i < n 



!®< n) ^(«8W))A 



>3G) 
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By Lemma l8T3l <p(n) can only hold true if n is a natural number. 

According to the loop semantics, 1= n > A <p(n) — > {f3)tp{n — 1) is valid by construc- 
tion: If n > is a natural number then so is n — 1, and if (3 reaches G after n repetitions, 
then, after executing (3 once, n — 1 repetitions of j3 reach G. By IH, this formula is deriv- 
able, since /3 contains less loops. We have derived \~x> n > A ^(n) — > {(3}(p(n — 1). Thus 
\~T> 3v ip(v)^-(f3*)3v<0 (p(v) by \con\ It only remains to show that the antecedent is deriv- 
able from F and that ((3*)G is derivable from the succedent. From our assumption, we 
conclude that the following are valid FOQD-formulas, hence P-axioms: 

• t= F ->• 3vip(v), because t= F ->• (f3*)G, and 

• 1= (3v<0 ip(v)) — > G, because v<0 and the fact, that, by Lemma l&3| (p(v) only holds true 
for natural numbers, imply <^(0). Further, <f(0) entails G, because zero repetitions of /3 
have no effect. 



We extend the latter derivation to \~x> ((3*)3v<0(p(v)—>({3*)G by Qgen Now, the above 



derivations can be combined propositionally by a cut with (f3*)3v<0 f{v) and with 3v (f(v) 
to yield ho F^(f3*)G. ' □ 



8.5. Relative Completeness of the Qd£ Calculus. Having succeeded with the proofs 
of the above statements about parts of the completeness proof, we can finish the proof of 
Theorem l8.2i 

Proof of Theorerr &8.2\ The proof follows a basic structure similar to that of Harel's proof for 
the discrete case [Har79, Theorem 3.1]. We have to show that every valid QdC formula <p can 
be proven from FOQD axioms within the QdC calculus: from N (p we have to prove h-p <p- 
The proof proceeds as follows: By propositional recombination, we inductively identify 
fragments of <f> that correspond to <f>\ — > [a]4>2 or <f>\ — > (a}4>2 logically. Next, we express 
subformulas (pi equivalently in FOQD by Lemma[E2>l and use Proposition l8.7l and 18.81 to 
resolve these first-order safety or liveness assertions. Finally, we prove that the original 
QdC formula can be re-derived from the subproofs. 

We can assume (p to be given in conjunctive normal form by appropriate proposi- 
tional reasoning. In particular, we assume that negations are pushed inside over modal- 
ities using the dualities _, [a]^ = (a) _, </ ) and ~^{a)(j) = [a]-i(/>. The remainder of the proof 
follows an induction on a measure \(p\ defined as the number of modalities in (j). For 
a uniform proof, we assume real quantifiers to be abbreviations for modal formulas by 
3x : E 4> = (x' = 1)0 V (x' = -1)0 and Vx : R <fi = [x' = 1]4> A [x' = -l]cf). Following either 
x' = 1 or x' = — 1, we can reach any real number as a value for x. Similarly, we assume quan- 
tifiers for sort C ^ M to be abbreviations for modal formulas by 3x : C <p= (V? :C x := j)<p 
and Vx : C <p = [ Vj : C x := We can obtain any object of sort C by an appropriate choice 
of j. Now the proof is by induction on the measure \<f)\ of <p. 
0. |0| = then is a first-order formula, hence derivable by T>. 

(1) is of the form -i0i, then 0i is first-order, as we assumed negations to be pushed inside. 
Hence, case applies: |0| = 0. 

(2) is of the form 0i A 02, then individually deduce the simpler proofs for \~x> 0i and 
\~x> 02 by IH, which can be combined by lArl 
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(3) is a disjunction and — without loss of generality — has one of the following forms (other- 
wise use associativity and commutativity to select a different order for the disjunction): 

01 V [a] <p 2 
4>i V (a}0 2 

As a unified notation for those cases we use 0i V {a} 02. Then, |02| < |0|, since 02 has 
less modalities. Likewise, |0i| < |0| because ([a])02 contributes one modality to |0| that 
is not part of 0i. 

According to Lemma r8.6l there are FOQD-formulas 0i,0 2 that satisfy 1= ^ f> ^ for 
i = 1,2. By congruence, the validity 1= yields that 1= (f>\ V ([a]}02, which directly implies 
1= —>(j)\ —> {[a])0 2 . Then by Proposition l8.7l or 18.81 respectively, we can derive 

^v^\^H4 • (8-1) 
Further 1= 0i <H- <p\ implies 1= —>(f>i — > -x^, which is derivable by IH, because |0i| < |0j. 
We combine the resulting derivation hp ~>(f>i— with (18.ip by a cut with ->(f>\ to 
obtain 

hp -«0i->H02 • ( 8 - 2 ) 
Likewise 1= 02 -B* 2 implies 1= 2 — > 02, which is derivable by IH, as |02| < |0|- We can 
extend the derivation of hp 2 ~~ * ^2 hp ([a])0 2 — > ([ a ])02 by gen - ()gen Finally we com- 
bine the latter propositionally with (|8.2p by a cut with {[a]) 02 to derive hp _, 0i— >{[a])02, 
from which hp 0i V ([a]) 02 can be obtained, again using \cut[ to complete the proof. □ 



9. Distributed Car Control Verification 

With the QdC calculus and the compatibility condition j) from eqn. (j3.2|) . we can easily 
prove collision freedom, i.e., formula (j5.2|) . in the distributed car control system (|5.4p : 

(Vi.jrtf! A*(i,j))-> 

[(n := new C; ?Vi : C7! A4(i, n); Vi : C! (x(i)" = a(»)))*] V#j : C! x(i)/x(j) (9.1) 

The biggest challenge in the proof of this QdC formula is that it involves continuous dy- 
namics, discrete dynamics, and dimensional dynamics, and that all parts of the system need 
to interact safely for the system to stay collision- free. In particular, formula (|9.1|) states a 
safety property of unboundedly many cars driving on a road, where an unbounded number 
of new cars may additionally appear dynamically during the evolution of the system. See 
Fig. [8] for a formal QdC proof of this QdC formula, which proves collision freedom despite 
dynamic appearance of new cars. 

The proof in Fig. [8] uses induction (rule lired)) with invariant Vi, j :Cl A4(i,j). Figure [8] 
does not show the branch proving that the invariant Vi, j : C\ M(i,j) implies the postcon- 
dition Vi^j : C\ x(i)^x(j), which is easy to prove. 

The proof step marked by \new\ uses the definition of newC from eqn. (|5.ip . To save 
space, we abbreviate [E(n) := 1] by [E(n)] in Fig.0 The proof uses the derived rules 
li^VI and I vA\ from Section[6] to propagate the effect of object creation on actualist quanti- 
fiers and actualist quantified assignments respectively. In rule \vA\ the shorthand notation 
Vi : C!u{n} St{i) in the resulting formula indicates that the new object n is also updated ac- 
cording to the solution St(n), not just the previously existing objects (Vi : CI 5t(i)). Here, 
we abbreviate by <St(i) the solution x(i) :=x(i) + v(i)t + ^-t 2 ,v{i) :=v(i) + a(i)t of the 
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^ ,M(i,n),t>0->S t M(i,n) ^ M(i,j),,t>0->S t M(i,j) 
EL.,Vi:C! M(i,n),t>O^StM(i,n) ^/i,j:C\ M(i, j), . . . ,t>0->S t M(i, j) 




C! M(i,i),Vi:C! M(i,n),t>0-*-«S t M(i,n) A<S t A4(i, 


IMI Vz,j 


C! j),Vi:C! n), t>0->[Vi : C!u{n} S,(i)](M(i,n)AM(i,i)) 




C! X(i,i),Vi:C! n), i>0^[Vi : C!u{n} 5 t (i)]Vi, j : C! (A4(i, n) A M(i,j)) 


EH Vijj 


C\ M(i,j),Vi:C\ M(i, n),t>0-»[Vi : C!u{n} S t (i)][E(n)]Vi, j : C! 


E3 Vijj 


C! j),Vi:C! M{i,n),t>0-+[E{n)]\ii-.C\ S t (i)]Vi,j :C\ M(i,j) 



Vi,j:C\ M(i,j),Vi:C\ M(i, n)-+[E(n)]Vt>0 [Vi : C! 5 t (i)]Vi, j : C! .M(i,j) 



O Vi,j:C! M(i, jf),,Vi:C! A4(i,n)^[E(n)][Vi:C! (a:(i)" = o(i))]Vi,j : CI 
^^Vi,j:C! X(i,j),[E(n)]Vi:C! M{i, [E(rQ] [Vi : C! (a;(i)" = a(i))]Vi, j : C! A4(i,j) 



^ Vi.j 


C! M(i,j)->-[E(n)](Vi:C! M(i,n) ->• [Vi:C! (as(i)" = o(i))]Vi, i :C! 


ED =o,Vi,j 


C! M(i,j)^[E(n)][m-.C\ M(i,n);Vi:C\ (x(i)" = o(i))]Vi, j :C\ M(i,j) 




C! jM(!,j')^[n :=newC*][?Vi:C*! X(i,n);Vi:C! = o(i))]Vi,j :C\ M(i,j) 


El v»,i 


C! M(i,j')->-[I>CCS]Vi,i:C! 




C\ M(i,j)->[(DCCS) m ]Vi?j:C\ x(i)^x(j) 



Figure 8: QdC proof for collision freedom in distributed car control with dynamic appear- 
ance. 



quantified differential equation Vz : C x{i)" = a(i), which rule ff]l introduces. For the top- 



most application of rule [:=] , we denote by StM(i,j) the result of substituting Mi : C\ St(i) 



into A4(i,j) according to rule := In Fig. El we leave out some irrelevant formulas, indi- 
cated by ellipsis (...) or gray print. The proof closes (indicated by *) by QE with ruleHVl 
Hence, QdC formula (19. ip is valid by Theorem l7.11 

In a similar way, the QdC proof rules can prove collision freedom in an advanced dis- 
tributed car control system that has both dynamic appearance of cars on the road as in 
(15. 4p and more flexibility in acceleration and braking choices of the individual cars as in 
(15. 3p . For this, we choose a weaker constraint for A4(i,j) that allows cars that move with 
quite different accelerations, if only the respective safety distances are compatible with the 
different velocities: 

j -> (( x (i) < x(j) A v(i) 2 < v(j) 2 + 2b(x(j) - x(i)) A v(i) > A v(j) > 0) 

V (x(i) > x(j) A v(j) 2 < v(i) 2 + 2b(x(i) - x(j)) A v(i) > A v(j) > 0)) 

With this choice for A4(i,j), the QdC proof calculus can be used to prove the following QdC 
formula with a proof very similar to that in Fig.[HJ 

Vi,j:C\ M(i,j) 

[(n:=newC; ?Vi : C\ M(i,n); 

Vi :C! a(i) :=ifVj:C! far(i,j) then a else — fofi; 

r:=0; Vi : C\ (x(i)' = v{i), «(*)' = o(i), r' = 1 & v{i) >0Ar<e))* 

] Vi# : C\ x(i)^x{j) (9.2) 

The QHP in QdC formula (j9.2p allows all cars to change their respective acceleration freely 
when all other cars are sufficiently far away like in (j5.3p . For this, we choose a condition 
characterizing that the distributed car control system stays controllable for at least e time 
units (which is the maximum reaction time of the controller): 

U^l^i^ %){ 1^]^' { CI \ / CI \ 

far(i,j) = x(j) > x(i) x(j) > x(i) + ^ + + 1 j + 
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The continuous dynamics in (|9.2p is bounded by the evolution domain constraint r < e to 
evolve for at most e time units, at which point, at the latest, the discrete controllers will 
have a chance to react to situation changes again (i.e., the control loop repeats). The Qd£ 
proof of (|9.2p has the same structure as that in Fig. [8] except that the arithmetic is more 
involved to handle the resulting nonlinear and nonmonotonic arithmetic constraints, see 
[PlalOd] . 

For a QdC proof extending the above ideas to a proof of collision-freedom for a more 
realistic distributed car control system having arbitrarily many cars switching between 
arbitrarily many lanes with dynamic appearance and disappearance of arbitrarily many 
cars, we refer to follow-up work [LPNllj . Unlike our simplified system model, this follow- 
up work does not assume that all cars use the same braking power. 

10. Conclusions 

We have introduced a formal system model and semantics for dynamic distributed hybrid 
systems together with a compositional verification logic and proof calculus. We believe this 
is the first formal verification approach for distributed hybrid dynamics, where structure and 
dimension of the system can evolve jointly with the discrete and continuous dynamics. Our 
approach handles distributed hybrid systems with interacting discrete dynamics, continuous 
dynamics, structural dynamics, and dimensional dynamics. We have proven our calculus to 
be a sound and complete axiomatization relative to quantified differential equations. Our 
calculus proves collision avoidance in distributed car control with dynamic appearance of 
new cars on the road, which is out of scope for other approaches. 

Future work includes full modular concurrency in distributed hybrid systems, which is 
already challenging in discrete programs. 
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